index=**** Name=GOKI|stats count by SK SO This is the result that I get now.
index=**** Name=GOKI|stats count by SK SO
SK SO COUNT d.e.f B3 2 a.b.c.1 A1 4 a.b.c.2 A2 6 a.b.c.3 A1 8
Expected Result:
d.e.f B3 2 a.b.c.* A1 12 a.b.c.* A2 6
How do I get the expected result?
Like this:
index=**** Name=GOKI | rex field=SK mode=sed "s/^(\d\.\d\.\d\.)/\1.*/" | stats count by SK SO
Thanks, that works fine! but how do I Add this "OR" function --> so counting AB* OR BA* as one count
Make your SK values be what you want them to be before summing up. Depending on the actual rules for wildcarding it might look something like this: index=**** Name=GOKI | eval SK = replace(SK, "^(\w+\.\w+\.\w+\.).+", "\1.*") |stats count by SK SO
index=**** Name=GOKI | eval SK = replace(SK, "^(\w+\.\w+\.\w+\.).+", "\1.*") |stats count by SK SO
