Get a distinct count of field values matching a re...

gdagur · ‎07-17-2017

I am doing this -
<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event|stats dc(person_id)

Now in last instead of dc of person_id i need a count of person_id which matches a regex -
<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event|stats dc(regex person_id="^(.?$|[^W].+|W[^F].*)" )

I tried above query using regex in dc() but it breaks. Any help would be greatly appreciated.

sbbadri · ‎07-17-2017

<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event | regex person_id="^(?P<test_person_id>(.?$|[^W].+|W[^F].*))" | stats dc(test_person_id) as persion_id

gdagur · ‎07-17-2017

@sbbadri - Regex which I am using "Regex person_id="^(.?$|[^W].+|W[^F].*)", it is to find person_ids which are not starting with 'WF'. Regex is correct, I validated that. Query which you have given above fetching 0 results even though I have multiple person_id present in logs. They are in the form of - person_id="9e9f0ec6-899e-43a8-b1e3-ca158516b6fe".
Any advice what could be going wrong.

sbbadri · ‎07-18-2017

Try this,

i have used your regex only below query

Still if it not fetching result. please post some sample events.

Get a distinct count of field values matching a regex

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Get a distinct count of field values matching a regex

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25