Solved: Easy way to match just the beginning of a field va...

jravida · ‎06-11-2014

Hi Folks,

I'm having a hard time working around using a wildcard within an eval, which isn't possible as far as I know.

Say I have these field values:
Bought an orange
Bought a banana
Bought a cantelope
Sold a monkey
Sold an elephant
Bought a lion

I want to count, simply, how many times "Bought" show up, and how many times "Sold" show up, so I can chart them.

Eval statements prevent wildcards, so I can't think of what to use. Is there a simple method of doing this?

somesoni2 · ‎06-11-2014

Eval does except wildcard ('%') for the function 'like'. Try below expression

your base search | stats count(eval(like(yourfield,"Bought %"))) BoughtCount count(eval(like(yourfield,"Sold %"))) SoldCount

the_wolverine · ‎06-11-2014

Bought OR Sold | rex "(?<transaction>Bought|Sold[^ ]+)" | timechart span=1h count by transaction

somesoni2 · ‎06-11-2014

Eval does except wildcard ('%') for the function 'like'. Try below expression

your base search | stats count(eval(like(yourfield,"Bought %"))) BoughtCount count(eval(like(yourfield,"Sold %"))) SoldCount

Easy way to match just the beginning of a field value