Hello everyone,
I have my fields like below,
indicator | tags |
indicator 1 | tag 1,class:234 |
indicator 2 | tagg,class:456 |
I have to group my fields based on tags starting with class, and my query is like below,
sourcetype="my-data" |stats count by tags|where tags="class*"
But I am getting 0 results, as where class is taking only exact values and not "class*"
I want my result as below,
class:234 1
class:456 1
Kindly suggest.
The problem with made up data is it can be difficult to give a useful answer.
However, given the example, try
sourcetype="my-data"
| rex field=tags "(?<class>class:\d+)"
| stats count by class
Try
|where tags like "%class%"
Thanks @renjith_nair this works. But If I am using this with timechart it is not working.
sourcetype="my-data" |timechart span=4h count by tags|where tags like "%class%"
Can you suggest.
The problem with made up data is it can be difficult to give a useful answer.
However, given the example, try
sourcetype="my-data"
| rex field=tags "(?<class>class:\d+)"
| stats count by class
Hi @ITWhisperer ,
Thanks for the reply,
1.No tags contain multiple fields or single field depending upon the log.
2.No class doesnt have any pattern.
3.No class can be anywhere in tags.
Rex command works well with timechart and stats command as well.
Hi @Janani_Krish,
if the structure of your tags is always "xxx,value" you could use a regex to extract the value after comma, something like this:
sourcetype="my-data"
| stats count by tags
| rex field=tags "^[^,]*,(?<tags>.*)"
| search tags="class*"
Ciao.
Giuseppe
Hi @gcusello ,
Thank you for the suggestion. But my structure varies,,it is not always followed by comma.
Hi @Janani_Krish,
You should try (if possible) to identify all the rules of your tags field and write all the possible regexes to extract the tags you want.
There'a also anothe choice, if the list of tags isn't lo long and it's manageable, you could put the tags in a lookup and use this lookup to match the events with a tag.
Ciao.
Giuseppe