https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508490#M142076 <P>I'd like to display stats based on a custom string within a log entry.&nbsp; Below is sample of the log entry.&nbsp; I'd like to parse the unique entries seen after <STRONG>"The following DAP records were selected for this connection:"</STRONG> string.&nbsp; If possible use the <EM>stats by</EM> .... method so it displays a unique entry with the amount of times it's been seen.&nbsp; &nbsp;So in the case of the 2 entries below, the stats would have&nbsp;<FONT face="courier new,courier"><STRONG>TEST_AUTOMATION_VENDOR</STRONG>, <FONT face="arial,helvetica,sans-serif">and</FONT>&nbsp;<STRONG>TEST2_AUTOMATION_VENDOR</STRONG></FONT>&nbsp;with a count next to it. I can do this for VPN users quite easily, but can't figure out how to do it for unique results of a string.&nbsp; &nbsp;I only know the basics of splunk search syntax so hopefully I'm explaining this clearly.</P><P>&nbsp;</P><P><FONT face="courier new,courier">%ASA-dap-6-734001: DAP: User TESTUSER, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: TEST_AUTOMATION_VENDOR</FONT></P><P><FONT face="courier new,courier">%ASA-dap-6-734001: DAP: User TESTUSER2, Addr 12.12.12.12, Connection AnyConnect: The following DAP records were selected for this connection: TEST2_AUTOMATION_VENDOR</FONT></P> Fri, 10 Jul 2020 14:20:17 GMT dv2323 2020-07-10T14:20:17Z https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508490#M142076 <P>I'd like to display stats based on a custom string within a log entry.&nbsp; Below is sample of the log entry.&nbsp; I'd like to parse the unique entries seen after <STRONG>"The following DAP records were selected for this connection:"</STRONG> string.&nbsp; If possible use the <EM>stats by</EM> .... method so it displays a unique entry with the amount of times it's been seen.&nbsp; &nbsp;So in the case of the 2 entries below, the stats would have&nbsp;<FONT face="courier new,courier"><STRONG>TEST_AUTOMATION_VENDOR</STRONG>, <FONT face="arial,helvetica,sans-serif">and</FONT>&nbsp;<STRONG>TEST2_AUTOMATION_VENDOR</STRONG></FONT>&nbsp;with a count next to it. I can do this for VPN users quite easily, but can't figure out how to do it for unique results of a string.&nbsp; &nbsp;I only know the basics of splunk search syntax so hopefully I'm explaining this clearly.</P><P>&nbsp;</P><P><FONT face="courier new,courier">%ASA-dap-6-734001: DAP: User TESTUSER, Addr 10.10.10.10, Connection AnyConnect: The following DAP records were selected for this connection: TEST_AUTOMATION_VENDOR</FONT></P><P><FONT face="courier new,courier">%ASA-dap-6-734001: DAP: User TESTUSER2, Addr 12.12.12.12, Connection AnyConnect: The following DAP records were selected for this connection: TEST2_AUTOMATION_VENDOR</FONT></P> Fri, 10 Jul 2020 14:20:17 GMT https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508490#M142076 dv2323 2020-07-10T14:20:17Z https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508496#M142079 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223581">@dv2323</a>&nbsp;You can use the rex command to extract the DAP record and then use stats, something like this:</P><LI-CODE lang="markup">index=your_index sourcetype=your_sourcetype | rex field=_raw "The following DAP records were selected for this connection: (?&lt;dap_record&gt;[A-Z_]+)" | stats count by dap_record</LI-CODE><P>I hope this helps!&nbsp;&nbsp;</P> Fri, 10 Jul 2020 14:59:15 GMT https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508496#M142079 livehybrid 2020-07-10T14:59:15Z https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508498#M142081 <P>Thank you that is very close to what I'm looking for!&nbsp; It's working, however it's only giving me partial names, and single Letter results.&nbsp; I'm thinking maybe the regex piece of [A-Z_]+ needs to be adjusted to include an entire dap record?</P> Fri, 10 Jul 2020 15:07:14 GMT https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508498#M142081 dv2323 2020-07-10T15:07:14Z https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508506#M142084 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223581">@dv2323</a>&nbsp;Replace [A-Z_]+ with ".+" or ".*". You can also add an anchor "$" for end of line after the cap group if desired.<BR /><BR />(?&lt;dap_record&gt;.+)$</P> Fri, 10 Jul 2020 15:36:37 GMT https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508506#M142084 rbar16 2020-07-10T15:36:37Z https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508507#M142085 <P>Sorry yes, you could use a variety of different regexs depending on what the rest of your data looks like - I missed the numerical digits..</P><LI-CODE lang="markup">index=your_index sourcetype=your_sourcetype | rex field=_raw "The following DAP records were selected for this connection: (?&lt;dap_record&gt;[a-zA-Z0-9_]+) | stats count by dap_record</LI-CODE><P>Let me know how you get on! Fingers crossed!</P><P>Will</P> Fri, 10 Jul 2020 15:40:57 GMT https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508507#M142085 livehybrid 2020-07-10T15:40:57Z https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508516#M142088 <P>This works well.&nbsp; Thank you.</P> Fri, 10 Jul 2020 16:13:06 GMT https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508516#M142088 dv2323 2020-07-10T16:13:06Z https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508517#M142089 <P>This works well.&nbsp; Gives me just the full DAP name, and count.&nbsp; Thank you.</P> Fri, 10 Jul 2020 16:13:53 GMT https://community.splunk.com/t5/Splunk-Search/Stats-by-custom-string/m-p/508517#M142089 dv2323 2020-07-10T16:13:53Z