Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Get a distinct count of field values matching a regex

gdagur
New Member
‎07-17-2017 04:56 AM

I am doing this -
<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event|stats dc(person_id)

Now in last instead of dc of person_id i need a count of person_id which matches a regex -
<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event|stats dc(regex person_id="^(.?$|[^W].+|W[^F].*)" )

I tried above query using regex in dc() but it breaks. Any help would be greatly appreciated.

0 Karma
Reply

sbbadri
Motivator
‎07-17-2017 06:36 AM

<<>> | search $country$ $campaign_name$ event_name=email OR event_name=event | regex person_id="^(?P<test_person_id>(.?$|[^W].+|W[^F].*))" | stats dc(test_person_id) as persion_id

0 Karma
Reply

gdagur
New Member
‎07-17-2017 11:06 PM

@sbbadri - Regex which I am using "Regex person_id="^(.?$|[^W].+|W[^F].*)", it is to find person_ids which are not starting with 'WF'. Regex is correct, I validated that. Query which you have given above fetching 0 results even though I have multiple person_id present in logs. They are in the form of - person_id="9e9f0ec6-899e-43a8-b1e3-ca158516b6fe".
Any advice what could be going wrong.

0 Karma
Reply

sbbadri
Motivator
‎07-18-2017 07:18 AM

Try this,

i have used your regex only below query

your base query | search $country$ $campaign_name$ event_name=email OR event_name=event | regex max_match=0 person_id="^(?P(.?$|[^W].+|W[^F].*))" | stats dc(test_person_id) as persion_id .

Still if it not fetching result. please post some sample events.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top