My Org is exporting the Terraform Enterprise logs (tfe_log) into Splunk and I'm trying to create a visual dashboard to show what modules are being used, how often, and who downloaded it. The main problem I have is the lack of documentation on how the logs are formatted.
So far I have this, but it seems the count is still off when comparing it to the TFE module page.
index=automation sourcetype=tfe_log tfe-atlas oac modules registry datadog download GET earliest=-2mon
| rex "registry\/(?<module>[a-z0-9-]+)-oac\/datadog\/[0-9.]+\/download"
| stats count by module