Case 1:
index=xyz | rex "(?i)<ticketId>(?P<TICKETID>[^<;]+)" | stats values(TICKETID) as TICKETID by processname | where TICKETID NOT NULL
TICKET ID - numeric eg : 23517727
processname - string eg : abc
I am trying to fetch TICKET ID details by distinct values of processname using the search above. It displays "no results found".
Case 2:
For the above search, if I remove the where clause, it displays both the processname and TICKETID columns where TICKETID column is empty.
Case 3:
index=xyz | rex "(?i)<ticketId>(?P<TICKETID>[^<]+)" | stats values(TICKETID) as TICKETID by id | where TICKETID NOT NULL
id - string eg: 143543337d5ea380261d5b318186dc4a28db9edb0
It gives me the results of distinct values of id with corresponding TICKETID values. I want the case 1 in this format.
-- id is a kind of primary key in this scenario where as processname isn't.
I am new in using splunk. Please do help me asap.
Thanks in advance 🙂
Like this:
Case 1 and 2:
index=xyz | rex "(?i)<ticketId>(?<TICKETID>[^<;]+)" | stats values(TICKETID) as TICKETID by processname | where isnotnull(TICKETID)
Case 3:
index=xyz | rex "(?i)<ticketId>(?<TICKETID>[^<]+)" | stats values(TICKETID) as TICKETID by id | where isnotnull(TICKETID)
Please share some sample data so we can put your fields into context.