Hello,
I have a set of data occuring randomizely and I would like to have an event every second.
I am able to get that when I work with one single file and the following command:
**timechart cont=true span=1s values(field1) as fields2**
==> an event is created each second with empty fields2 when needed
When I use this command on several files, it is not working anymore; I guess that Splunk works globally on all events and not by file anymore. And I want to work source by source
Then I tried to work with bucket:
**bucket _time span=1s | stats values(field1) as values(fields2) by _time**
==> no additionnal event is created.
At this time I have defined a custom search command to create the desired additionnal events but I would like to do it with Splunk language.
Regards
↧