Using below query:
index="incident" sourcetype="csv" | rex max_match=0 "(?(?i)(order))" | stats count by classification
Result I am getting is:
classification count
ORDER 2
Order 120
order 83
Now i want to make this order value as 1 field value like
Order 205
And I trying to do this by converting classification field from string into numeric and then using eval function, but here tonumber function is not working. And I am not able to achieve the required result.
Any help is appreciated.
Its working now
I have used below query. Thanks all for the help 🙂
source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
| rex max_match=0 field=_raw "(?<classification>(?i)(order))" | eval classification=lower(classification)| stats count by classification
Its working now
I have used below query. Thanks all for the help 🙂
source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
| rex max_match=0 field=_raw "(?<classification>(?i)(order))" | eval classification=lower(classification)| stats count by classification
If your goal is to achieve the output as the sum of the count field irrespective of the case of the contents in the classification field i.e. "Order 205" as per your question then you can try an approach even without rex. Below is the code for the same. This will help you generalize the case of the contents of "Classification" field.
index="incident" sourcetype="csv"
|eval Classification=lower(Classification)
|stats sum(Count) as Count by Classification
Without rex it will not work here as I need to extract field different fields here from events then do their count.
Use the coalesce
function to combine several fields into a single field.
index="incident" sourcetype="csv" | rex max_match=0 "(?(?i)(order))" | eval classification=coalesce(ORDER, Order, order) | stats count by classification
I am getting no results found under statistics tab. Used below query.
source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv" | rex max_match=0 field=_raw "(?(?i)(order))" | eval classification=coalesce(ORDER, Order, order) | stats count by classification
I have just modified your query, try if it works:
source="incident (1).csv" host="instance-3" index="incident" sourcetype="csv"
| rex max_match=0 field=_raw "(?(?i)(order))" | eval classification=coalesce("ORDER", "Order", "order") | stats count by classification
yes i have used below in my query. I am getting the same result.
| rex max_match=0 field=_raw
Sample Event I can't provide here.
its just , not able to convert string to numeric, I have tried all options.
Not sure, why eval function is not working after rex command
I think, in your rex statement you may need to identify the field.
| rex field=max_match
But, I may be misunderstanding what you have.
If you can provide a sample event I may be able to help more.