I have a parsed field and I need to count the number of times a given string appears within it. It seems relatively simple, but I've been searching through Sumo documentation and now I'm not sure this is even possible. Please help!
Asked
Active
Viewed 1,825 times
3
-
You might need to use some regex to parse out the string: https://help.sumologic.com/05Search/Search-Query-Language/01-Parse-Operators/02-Parse-Variable-Patterns-Using-Regex. If you're willing to post a sample message I'd be happy to help with that. – the-nick-wilson Jul 10 '20 at 02:29
2 Answers
2
I have an idea for a hacky solution using replace() regex variant.
If inputField is your input field and you want to count the number of times is happens in the inputField, then
| "This is a very hacky solution which might get you in trouble" as inputField
| replace(inputField, /is/, "@") as matched
| replace(matched, /[^@]/, "") as skipTheRest
| length(skipTheRest) as finalCount
The solution assumes @ is not present in the input field.
Disclaimer: I am currently employed by Sumo Logic.
Grzegorz Oledzki
- 23,614
- 16
- 68
- 106
-
This is so good and so bad, but it gets the job done. Thank you! BTW - You can pre-cleanse the data by first replacing any existing @ symbols with empty strings, as an initial step. – James Daily May 24 '22 at 13:52
0
If I understand question correctly, we have a field A which we have parsed and now we want to match if it contains some string s. In that case, below can be appended to your query.
| if(A matches "*s*", 1, 0) as ct
| sum(ct)
Grzegorz Oledzki
- 23,614
- 16
- 68
- 106
ondway
- 114
- 1
- 11