Q1:
How do I merge these two regular expressions? (which are identical but one for filtering events, the other for extracting fields)
I am | regex _raw = "I am (?<Name>.*)" | rex "I am (?<Name>.*)" | stats count Count by Name
Q2:
I already tried
I am | setfields Name = 0 | rex "I am (?<Name>.*)" | where Name != 0 | stats count Count by Name
Somehow it didn't work, until I changed where Name != 0 to where not Name = 0 .
From what I learnt in other answers, the behavior of Name != 0 and not Name = 0 would differ when Name doesn't exist, but in this case Name should always exist after setfields Name = 0 .
Did I miss something?
... View more