how to merge multiple rex commands

abhayneilam · ‎10-26-2012

Hi,

I have a query as follows :

Here, I am using 3 keywords "delhi","kol" and "mumbai" but I have used 3 rex for this..can I merge three into one rex. when I am merging as follows I am getting the correct count for the keywords. Please help

rakesh_498115 · ‎10-26-2012

Hi Abhay..

You can create field aliases for your thress rex fields as location and then you can use the stats count by location like this .

rex field="Location" (?(?i)"delhi")
rex field="Location" | (?(?i)"kol")
rex field="Location" (?(?i)"mumbai")

Now go to Field Aliases and create a common alias for these three fields i.e say location .

Then use your query like this..

index="maa" | stats count by location

Would you give the desired results..

MuS · ‎10-29-2012

the problem is, that in the data multiple city occur at the same line:

abhay|26|koldelhigmumbaiis_delhiood_di
murari|30|ranigang
abc|32|mumbai is delhi place
murari|30|ranigang_kolbabbu is kol
murari|30|delHI is not in kolkata
mno|100|delhi
murari|30|ranig
xyz|100|delhi

abhayneilam want to match only ONE city per line, either delhi, kol or mumbai.
I cannot create any regex matching this pattern on gskinner....sorry but on the other hand I'm no regex expert after all 🙂

bmacias84 · ‎10-26-2012

Why not combine them into one rex statement with multiple ability to match multiple times.



rex field="Location"(?(?im)"(delhi|mumbai|kol)")

how to merge multiple rex commands

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases