I'm trying to use a regular expression in a summary query. I want to get all events so that nothing is omitted and I can gather count statistics on all events, even if a regular expression fails to match in the rex command.
The rex command will not filter or remove any events, even if the rex doesn't match. The regex command is used to filter and remove events based on a regular expression.
If the rex fails to match a field, that field won't be present in that event.
index=foo | rex field=_raw "Hello (?<match>.*)"
For this data, you'll get the following
You can then use the fillnull command to put a default value in fields where the value is NULL.
index=foo | rex field=_raw "Hello (?<match>.*)" | fillnull value="EMPTY" match
Which will give you the following results
View solution in original post