Q1:
How do I merge these two regular expressions? (which are identical but one for filtering events, the other for extracting fields)
I am | regex _raw = "I am (?.*)" | rex "I am (?.*)" | stats count Count by Name
Q2:
I already tried
I am | setfields Name = 0 | rex "I am (?.*)" | where Name != 0 | stats count Count by Name
Somehow it didn't work, until I changed `where Name != 0` to `where not Name = 0`.
From what I learnt in other answers, the behavior of `Name != 0` and `not Name = 0` would differ when `Name` doesn't exist, but in this case `Name` should always exist after `setfields Name = 0`.
Did I miss something?
↧