topic Re: Get a distinct count of field values matching a regex in Splunk Search

Get a distinct count of field values matching a regex

gdagur — Tue, 29 Sep 2020 14:53:05 GMT

I am doing this -
<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event|stats dc(person_id)

Now in last instead of dc of person_id i need a count of person_id which matches a regex -
<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event|stats dc(regex person_id="^(.?$|[^W].+|W[^F].*)" )

I tried above query using regex in dc() but it breaks. Any help would be greatly appreciated.

Re: Get a distinct count of field values matching a regex

sbbadri — Tue, 29 Sep 2020 14:55:23 GMT

<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event | regex person_id="^(?P<test_person_id>(.?$|[^W].+|W[^F].*))" | stats dc(test_person_id) as persion_id

Re: Get a distinct count of field values matching a regex

gdagur — Tue, 29 Sep 2020 14:57:45 GMT

@sbbadri - Regex which I am using "Regex person_id="^(.?$|[^W].+|W[^F].*)", it is to find person_ids which are not starting with 'WF'. Regex is correct, I validated that. Query which you have given above fetching 0 results even though I have multiple person_id present in logs. They are in the form of - person_id="9e9f0ec6-899e-43a8-b1e3-ca158516b6fe".
Any advice what could be going wrong.

Re: Get a distinct count of field values matching a regex

sbbadri — Tue, 29 Sep 2020 14:57:50 GMT

Try this,

i have used your regex only below query

Still if it not fetching result. please post some sample events.