I have a multivalue field which is got from a stats function. using mvfind function, how to write regex for this.
query...|stats list(result_id) by user
result_id is a multivalue field and it contains data like
r_id1
r_id2
r_id3
r_id4
I want to write a regex which matches as below
r_id2
r_id3
but the below eval doesnt work.
eval n=mvfind(result_id,"r_id2\nr_id3")
OR
eval n=mvfind(result_id,"r_id2\sr_id3")
please help.
Verify the required result:
| makeresults count=2
| streamstats count
| eval _time=if(count=2,relative_time(_time,"-2d@d"),relative_time(_time,"-1d@d"))
| makecontinuous _time span=20m
| eval user="user_".(random() % 9 + 1)
| eval result_id="r_id".(random() % 4 + 1)
| streamstats count
| where count % 2 =1
| stats list(result_id) as result_id by user
| rex field=result_id max_match=10 "(?<result>\w+(2|3))"
Hi, folks
How to write regex for a multivalue field?
\w+(2|3)
, this regex is.
recommend:
query...
|stats list(result_id) as result_id by user
| rex field=result_id max_match=10 "(?<result>\w+(2|3))"
How about this?
What is your suggested output?
Do you need your matching values as a new multivalue field? Or do you need the index of your matching values in your multivalue field?
Maybe this can help you:
| makeresults
| eval mv="r_id1,r_id2,r_id3,r_id4"
| makemv delim="," mv
| eval result=mvfilter(match(mv,"r_id2") OR match(mv,"r_id3"))
| eval n=if(isnotnull(mvfind(mv,"r_id2")),mvfind(mv,"r_id2"),""), n=if(isnotnull(mvfind(mv,"r_id3")),n.",".mvfind(mv,"r_id3"),"")
Hi @gndivya,
to help you in regex creating, could you share some example (eventually masked!)?
Ciao.
Giuseppe
| makeresults
| eval my_multival="4726,4722,4726"
| makemv tokenizer="([^,]+),?" my_multival
this is the sample one i m using... that result id will contain data like below
4726
4726
4722
4726
4726
4726
4722
4726