I have two fields, Inbound and Outbound. Each of these fields can contain a group (sometimes they're null). I need to get a count of the groups if they match a specific regex (i.e. must start with ATT, MCI or QST). The problem is that a valid group can be in either field, and certain groups can be both an Inbound and Outbound group. Below is a small example of some events:
Inbound Outbound
OMA01002 QST_0960
ATT_0002 QST_0965
OMA01000 QST_0960
ATT_0004
ATT_0119 ATT_0002
MCI_0023
QST_0960 ATT_0407
ATT_0119
ATT_0004 RG17
As you can see in the example ATT_0002, ATT_0119 and QST_0960 can be an Inbound or Outbound group. But I don't care about what group it is, I only care about the counts for each group. So the results I need are:
Group Count
ATT_0002 2
ATT_0004 2
ATT_0119 2
ATT_0407 1
MCI_0023 1
QST_0960 3
QST_0965 1
I'm not sure how to do this or if it's possible without two searches. Below is a simplified search that is kind of a starting point.
search * | fields Inbound Outbound
| where match(Inbound, "^(ATT|MCI|QST)") OR match(Outbound, "^(ATT|MCI|QST)")
| do amazing counting stuff here
Hope this makes sense. Thanks for any help.
... | eval Group=mvappend(Inbound,Outbound) | stats count by Group
So simple. You guys make me feel like an idiot, but it's precisely what I need. Thanks so much!
Hi @gkanapthy, and @tnkoehn
I have similar requirement but instead of | where match(Inbound, "^(ATT|MCI|QST)") OR match(Outbound, "^(ATT|MCI|QST)")
i have
| where match(Inbound, "abc") OR match(Outbound, "def")
now how should i achieve this