I have one field with values xyz_onprem abc_onprem gghf_onprem abc_aws gfd_aws
I want to see the count of values ending with onprem & aws, like
aws = 2 onprem = 3
Thanks in advance
You have to insert in your search a rex command:
mysearch | rex field=myfield ".*_(?<newfield>\w+)" | stats count by newfield
bye. Giuseppe
View solution in original post
If this is a multivalue field you can use this spl query:
yoursearch | eval onprem=mvcount(mvfilter(match(yourfield,"^.+_onprem"))) | eval aws=mvcount(mvfilter(match(yourfield,"^.+_aws")))
best Darek
