Trying to parse the following line:
newCount 20 OldCount 10
The following is my splunk query:
index="server" | rex "newCount"\s+"(?\w+)" | rex "OldCount"\s+"(?\w+)" | search newcount>0 | search oldcount>0 | timechart span=1h count
How can i ensure that irrespective of whether newCount or oldCount is greater than 0, my splunk query will catch that ?
↧