I'm using this search =>
index=_internal source="*license_usage.log" type=usage idx="f*"
| eval MB = round(b/1048576,2)
| eval idx = idx
| timechart span=1d sum(MB) by idx limit=0
| rename _time as Datum
| convert timeformat=%d.%m.%Y. ctime(Datum)
| addtotals
to find the usage of all indexes which names start with the letter f, (I have about 30 indexes started with f of approximately 750 indexes in total).
a) **How can I remove index *firewall* from the results?** I know it starts with f but I don't want it in the results of the search.
b) **How can I add index *test.f.something* in the results?** I know it doesn't start with f but I want it in the results of the search.
c) This is not mandatory but **can I replace dots with commas in the results?**
↧