This one tripped me up. The rex command is not a filter, it merely extracts the value where it exists. As such, you can’t simply say…<\/p>\n
\r\nrex field \"(?mysearch)\" | timechart span=1d count as total\r\n<\/pre>\n …as this will result in all samples passing and your count being much larger than may be expected. To use the rex construct, you must sandwich a
where myField != \"\"<\/code> between the rex and timechart commands. For example…<\/p>\n\r\nhost=myhost* sourcetype=*server* | rex field=_raw \"(?Microcontainer.*Started in)\" | where restart != \"\" | timechart span=1d count as restarts_by_day \r\n<\/pre>\n","protected":false},"excerpt":{"rendered":" This one tripped me up. The rex command is not a filter, it merely extracts the value where it exists. As such, you can’t simply say… rex field “(?mysearch)” | timechart span=1d count as total …as this will result in…<\/p>\n