Hello
Im running this query:
index="prod"
| rex field=source "(?<crate>.*?)/"
| stats dc(crate)H
But the number of results is 400 less than expected.
Im wondering if the query is wrong or something is not working with the indexing ?
Thanks
It's impossible to answer without seeing the data. It could be your regex is incorrect and not properly extracting the crate field. It could be your data is not as varied as you think it is. Perhaps the data needs to be normalized before it is counted.