I have such events:
Id":"123456","string","groupId":"AB123"}]
I want to extract the fields Id, i.e. 123456 and groupId, i.e. AB123.
I tried this:
query
| rex field=_raw "Id\":\"(?<Id>\d+)\".+groupId\W+(?<groupId>\w+)"
| timechart partial=f span=10m dc(Id) by groupId
It did not count anything.
What did I do wrong?
First, you're grouping by a field that may not exist (did you mean groupId instead of serviceId?)
Second, are you sure your regular expression is correct?
This tested one is simpler:
| rex field=_raw "Id\W+(?<Id>\d+)\D+groupId\W+(?<groupid>\w+)"