index=_internal sourcetype=splunkd "truncating line"
| rex field=_raw "line length\s+>=\s+(?<length>\d+)"
| search length=*
| stats max(length) as length, count by data_sourcetype
0 comments
[0]
[0]
[0]
[0]
index=_internal source=*license_usage.log type="Usage"
| eval indexname = if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
```| search st=<insert sourcetype here>```
| timechart span=1d sum(eval(b/pow(1024,3))) by st
0 comments
[0]
[0]
[0]
[0]