I have this search
index=nitro_prod_ecomm earliest=-30m@m | rex field=_raw "\d\d\:\d\d\:\d\d\s+(?\d+\.\d+)" | where ResponseTime>1| rex field=_raw "(?(GET|POST)\s+\/(\w+))" |stats count by header_page
It gets me the first part of a URL from the raw rex field, which is what I want.
I want to get this information into my extracted fields section on the left, I want to be able to click "header_page" and it will show me what is being displayed by this search such as "GET /store" etc. (Like below)
![alt text][1]
When attempting to create an extracted field via the automatic builder, it cannot do it and needs a custom written one. I tried just using the rex from the search, but it didn't seem to work.
Any ideas?
[1]: /storage/temp/156171-screenshot-2016-08-15-at-15949-pm.png
↧