I have one field with values
xyz_onprem
abc_onprem
gghf_onprem
abc_aws
gfd_aws
I want to see the count of values ending with onprem & aws, like
aws = 2
onprem = 3
Thanks in advance
You have to insert in your search a rex command:
mysearch | rex field=myfield ".*_(?<newfield>\w+)" | stats count by newfield
bye.
Giuseppe
If this is a multivalue field you can use this spl query:
yoursearch | eval onprem=mvcount(mvfilter(match(yourfield,"^.+_onprem"))) | eval aws=mvcount(mvfilter(match(yourfield,"^.+_aws")))
best
Darek
You have to insert in your search a rex command:
mysearch | rex field=myfield ".*_(?<newfield>\w+)" | stats count by newfield
bye.
Giuseppe