- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Get a distinct count of field values matching a regex
I am doing this -
<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event|stats dc(person_id)
Now in last instead of dc of person_id i need a count of person_id which matches a regex -
<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event|stats dc(regex person_id="^(.?$|[^W].+|W[^F].*)" )
I tried above query using regex in dc() but it breaks. Any help would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event | regex person_id="^(?P<test_person_id>(.?$|[^W].+|W[^F].*))" | stats dc(test_person_id) as persion_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sbbadri - Regex which I am using "Regex person_id="^(.?$|[^W].+|W[^F].*)", it is to find person_ids which are not starting with 'WF'. Regex is correct, I validated that. Query which you have given above fetching 0 results even though I have multiple person_id present in logs. They are in the form of - person_id="9e9f0ec6-899e-43a8-b1e3-ca158516b6fe".
Any advice what could be going wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this,
i have used your regex only below query
your base query | search $country$ $campaign_name$ event_name=email OR event_name=event | regex max_match=0 person_id="^(?P(.?$|[^W].+|W[^F].*))" | stats dc(test_person_id) as persion_id .
Still if it not fetching result. please post some sample events.
