Hi I have a field called "src_file_name" in which I have only four values as follows:
evaluation vehicle policy workflow sept 2012.pptx
evaluation vehicle register sept2012.xlsx
evaluation vehicle form - final sept 2012.pdf
quarterly evaluation 2012 - july to september.ppt
and I am running below query to find how many times "evaluation" keyword is present in the "src_field_name" field
index="email_weekly_data" | rex field="src_file_name" (?
I am supposed to get count as 4 but unfortunately I am getting only 3 count, when I checked which files it is talking I found :
evaluation vehicle policy workflow sept 2012.pptx
evaluation vehicle register sept2012.xlsx
evaluation vehicle form - final sept 2012.pdf
My query is not considering "quarterly evaluation 2012 - july to september.ppt" file.
Please help me to get the correct count ASAP
Thanks in Advance!!
hi abhayneilam
I hope this is ASAP enough 🙂
You can test regex on http://gskinner.com/RegExr/, it works perfect for splunk. I tested your filenames and your regex and yours will only match the files which starts with evaluation therefore you only get 3 files.
using this regex:
(?<one>(?i)evaluation)
you will get all 4 files.
cheers,
MuS
hi abhayneilam
I hope this is ASAP enough 🙂
You can test regex on http://gskinner.com/RegExr/, it works perfect for splunk. I tested your filenames and your regex and yours will only match the files which starts with evaluation therefore you only get 3 files.
using this regex:
(?<one>(?i)evaluation)
you will get all 4 files.
cheers,
MuS
blush - thanks 🙂
MuS - I have to say that the support (and speed 😉 that you and others such as Ayn, sideview etc provide is amazing. It makes Splunkbase a lively, healthy forum, something that other product houses should be envious of.
So - a note of thanks.
Br
DS