Home > Software engineering >  Splunk - How to extract two fileds distinct count one field by the other field?
Splunk - How to extract two fileds distinct count one field by the other field?

Time:09-23

I have such events:

Id":"123456","string","groupId":"AB123"}]

I want to extract the fields Id, i.e. 123456 and groupId, i.e. AB123.

I tried this:

query 
| rex field=_raw "Id\":\"(?<Id>\d )\". groupId\W (?<groupId>\w )"
| timechart partial=f span=10m dc(Id) by groupId

It did not count anything.

What did I do wrong?

CodePudding user response:

First, you're grouping by a field that may not exist (did you mean groupId instead of serviceId?)

Second, are you sure your regular expression is correct?

This tested one is simpler:

| rex field=_raw "Id\W (?<Id>\d )\D groupId\W (?<groupid>\w )"

Page link:https//www.codepudding.com/Softwareengineering/124764.html

Prev:Getting text between one or more pairs of strings using regex in python
Next:Displaying HTML in PERL Tag
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding