Hi,
How could I write a query in IDR to return events where the length of a specific key-pair value is over specific number of characters? For example, where(length of username > 10)
Thanks
Hi @talford you can’t use a function such as length, however you can use regex and capture groups such as
where(/user":"(?P<user_>(\w|\s){10,500})/)groupby(“user_”)limit(1000)
This would return a list of users who’s name is between 10 and 500 characters and can have characters (\w) or spaces (\s)
You would potentially need to tweak the anchor of user":" depending on the structure of the logs, my example would apply to Ingress Auth events
David