i want to compare if last 5 digits of user ID are same don't show in result
how it can be done
0012345
abc0012345
xyx\0012345
if the resulting values are above as a user ID, i want to check if last 5 values(12345) are same so it should not trigger in my search as a result of user ID
hi @saghiralmani
base search . . .. |eval test=substr(user_id_field,-5) |eventstats count by test |where count > 1
@saghiralmani ,
If you want to compare the extracted IDs against another value, try
|rex field=your_user_id_field "(?<extracted_id>\d{5}$)"
OR
|eval extracted_id=substr(your_user_id_field,-5)
Compare extracted_id against with the value