I am running following query where in the last I would like to fetch value of "Client" key from json and count all such clients. My query goes as follow: QUERY | rex ".*\"Client\":\"(?<Client>.*)\"," | stats count byClient The events in query will definitely has json as the one of the key, but order of the key may change. This extraction of Client from json is not working and I am getting Client as null .What is the problem here.My event looks as follow Event type 1: request-id : ABC Executing following method: Class.RestClass ::: with values:
{
"d1": "EU",
"sn": "sn",
"entityType": "USER",
"email": "test@gmail.com",
"id": [
"123"
],
"Client": "TEST",
"time": "2020-01-01T01:01:01Z",
"List": [
{
"Type": "Items1",
"value": "-1",
"match": "NO"
}
]
} Event type 2: request-id : 234 Execute something ::: with param-values:
{
"d1": "JP",
"sn": "sn",
"type": "USER",
"user": "test1@gmail.com",
"id": [
"123"
],
"source": "S1",
"Client": "test_client",
"initiate": "init_Name",
"mode": "Test",
"t1": "",
"t2": "",
"auto": true,
"list": [
{
"type": "type_count",
"value": "-1",
"creteria": "skip"
}
]
} How can I correct my query to get the correct results:.
... View more