I would like to search only events which has single '/' . How can I do that. Below is the start of the query
index="association" sourcetype="escaplogs"
data.val field can have the below type of values
restV2/138b-68a8-40be-bb03-567d619e/1e46d-a2a2-4ccd-b26d-f41be4edd
restV2/138b-68a8-40be-bb03-567d619e
How can I add the data.val in the search which has only single '/'
If you want only one / then you just search for one:
| rex field=data.val "(?<val>^[^/]+/[^/]+$)"
| where !isnull(val)
How the regex works:
(...) This is the regular expression?<val> val is the name of the field it will be put into^...$ This matches only a whole string[^/]+ This searches for a number of characters larger than one that has no /^[^/]+/[^/]+$ This searches for a string with exactly one /(?<val>^[^/]+/[^/]+$) puts the matching part into a field called valThen you use where to just only keep fields where val is not null
Here is a run-anywhere example:
| makeresults count=2
| streamstats count
| eval data.val = case(
count=1, "restV2/138b-68a8-40be-bb03-567d619e/1e46d-a2a2-4ccd-b26d-f41be4edd",
count=2, "restV2/138b-68a8-40be-bb03-567d619e")
| rex field=data.val "(?<val>^[^/]+/[^/]+$)"
| where !isnull(val)
| fields -val
| table _time data.val