How do I filter events and extract fields in a sin...

chrisxue815 · ‎03-24-2016

Q1:
How do I merge these two regular expressions? (which are identical but one for filtering events, the other for extracting fields)

I am | regex _raw = "I am (?<Name>.*)" | rex "I am (?<Name>.*)" | stats count Count by Name

Q2:
I already tried

I am | setfields Name = 0 | rex "I am (?<Name>.*)" | where Name != 0 | stats count Count by Name

Somehow it didn't work, until I changed where Name != 0 to where not Name = 0.

From what I learnt in other answers, the behavior of Name != 0 and not Name = 0 would differ when Name doesn't exist, but in this case Name should always exist after setfields Name = 0.

Did I miss something?

snoobzilla · ‎03-24-2016

Bottom line is you don't do both in same regex. It looks like you are trying to only count by Name when there is a value for Name. Try this...

I am | regex _raw = "I am (?<Name>.*)" | stats count AS Count by Name

Stats will only count the when there is a value for Name.

Should get same results with this where the search Name=* requires Name.

I am | regex _raw = "I am (?<Name>.*)" | search Name=* | stats count AS Count by Name

michael_kushma · ‎03-24-2016

What are you trying to do?

How do I filter events and extract fields in a single regular expression command

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!