parsing and counting
I was able to extract the security group (GroupId) from nested array and named as jsonobject. Now, I am trying to extract / breakdown the field(jsonobject) into separate the security groups. I also want to count the number of unique security groups.
| parse regex field=jsonobject "(?<gid>\"sg-\w+\")" multi
It just search first (only one sg). Looks like multi is not working in this case
Please advise.
-
The multi-option should generate a new row for each value matched by the regular expression. So for example, if you have just 1 JSON message with 5 IDs and you perform a multi parse you will end up with what looks like 5 message rows, but the parsed value in the ID field should be different. Is this not what you are seeing?
After the parsing then you would just need to add the following operation to your query to get the count of distinct IDs.| count_distinct(gid) as gid_count
Please sign in to leave a comment.
Comments
1 comment