I have data that looks like this;
When I perform my search the data returned by Splunk looks like this on the dashboard:
date="date" username="username filename="filename" 1000 bytes
You can see the problem... I can grab all of the "keyed" fields, but I can't get the value "1000 bytes" because it's not keyed. If I had AWK, I could grab the second to the last value of the string and I would be done.
Is there a way to grab the value "1000" above and place it into a value to inject into my tables???
Thanks
↧