Hey Community,
I'm trying to pass a variable including the pattern to a rex command mode=sed.
This is my approach but it doesn't work. My screen just give me a message: Search is waiting for input.
Whats wrong with my code?
| eval rex_langing_page=if("$landing_page$"=="*", "s/^(\/[^\/]+\/).*$/\1/", ".*") //This should be the pattern for my rex command
| rex field=Web.uri mode=sed "$rex_landing_page$"
This is my whole code:
| tstats summariesonly=t count FROM datamodel=Web WHERE Web.site="$site$" "Web.eventtype"=pageview "Web.http_session_pageviews">1 GROUPBY "Web.site","Web.http_session",_time span=1s,"Web.http_referer","Web.uri","Web.http_session_channel"
| eval rex_langing_page=if("$landing_page$"=="*", "s/^(\/[^\/]+\/).*$/\1/", ".*")
| rex field=Web.uri mode=sed "$rex_landing_page$"
| rename Web.uri AS to "Web.http_referer" AS from "Web.http_session_channel" AS channel "Web.site" AS site "Web.http_session" AS http_session
| rex field=from "https?://.+?(?<from_path>/[^\\?]+)"
| rename from_path AS from
| eval from=if(isnull(from),"$site$",from)
| streamstats global=f count AS interaction by http_session
| eval interaction=interaction-1
| where interaction<=round($limit$/20,0)
| stats list(from) AS from, list(to) AS to,earliest(to) AS landing_page, list(channel) as channel, list(interaction) as interaction by http_session
| search to="$to$" landing_page="$landing_page$"
| eval fields = mvzip(from,mvzip(to,mvzip(interaction,channel)))
| fields http_session fields
| mvexpand fields
| rex field=fields "(?<from>[^\,]+),(?<to>[^\,]+),(?<interaction>[^\,]+),(?<channel>.+)"
| eval from=if(interaction=0, "", from)
| eval from=if("$landing_page$"!="*", "$site$"."$landing_page$", from)
| table http_session from to interaction
| where interaction>=1
| where to!="$landing_page$"
| where to!=from
| stats count by from,to,interaction
| sort interaction,-count,from,to
| streamstats global=f count AS interaction_rank by interaction
| where interaction_rank<=round($limit$/10,0)
| stats sum(count) AS count by from,to
| sort from to count
| head $limit$
Thanks a lot
Johannes
... View more