I am sending some data to splunk which looks like:
"Start|timestamp:1552607877702|type:counter|metricName:cache|count:34488378|End"
And then extracting the fields using a regex:
search "attrs.name"="service" | regex (Start)(.*)(End) | extract pairdelim="\"{|}" kvdelim=":"
After extraction, I can see the fields (type, metricName, count) under "INTERESTING FIELDS". How do I go about using these fields in a dashboard?
Thanks
search "attrs.name"="service" | regex (Start)(.*)(End) | extract pairdelim="\"{|}" kvdelim=":" | stats count by metricName
Or
search "attrs.name"="service" | regex (Start)(.*)(End) | extract pairdelim="\"{|}" kvdelim=":" | stats count by type
Or
search "attrs.name"="service" | regex (Start)(.*)(End) | extract pairdelim="\"{|}" kvdelim=":" | table type, metricName, count
should all give you a table, which can also be represented as a visualization. You can save any of these, or the original events, as a dashboard panel.