I have following lines in logs
1 ADM.ADMX policies
Found ADM/ADMX policies
How do I search to filter only 1 ADM/ADMX policies?
you can't do that, because there is not 1 ADM/ADMX policies
| makeresults
| eval _raw="1 ADM.ADMX policies
Found ADM/ADMX policies"
| multikv noheader=t
| table _raw
| regex "\d*\sADM\.ADMX\spolicies"
We can't answer that because that's not what you're talking about in the question and comment.
Check the results of regex
before saying there is no result of stats
.
@srinivas0704 Could you try index=foo | regex _raw="1\s+ADM\.ADMX\spolicies"
if you need to match with 1 ADM.ADMX policies
literally but if you need to capture string with any digit at the start you can try with index=foo | regex _raw="\d\s+ADM\.ADMX\spolicies"
@sanjeev543 regex _raw="\d\s+ADM\/ADMX\spolicies"| stats count but still count shows as 0
Have you tried index=foo "ADM/ADMX"
or index=foo | regex "ADM\/ADMX"
?
Hi I have tried first one,my intention is to take line which starts from digit and has ADM/ADMX
OK. I misunderstood the question. Try \d\sADM\/ADMX
.
@richgalloway Not a problem regex _raw="\d\s+ADM\/ADMX\spolicies"| stats count ,but still count shows as 0
There's a contradiction in what you want to find. Is it "1 ADM.ADMX policies" or "1 ADM/ADMX policies"? My latest response will find the latter. This should find the former: \d\sADM\.ADMX policies
.