https://community.splunk.com/t5/Splunk-Search/Linecount-issue-when-searching-logs/m-p/30255#M178003 <P>Sure, try this:</P> <PRE><CODE>sourcetype="Cron_SendNotificationEmail" source="*info*" starthoursago="24" | rex max_match=10 "send_to_email \[(?P&lt;send_to_email&gt;\S+)\]" </CODE></PRE> <P>If you want to match more than 10, just increase the <CODE>max_match</CODE> value.</P> <P>Hope that helps.</P> Sat, 22 Jan 2011 01:05:56 GMT Lamar 2011-01-22T01:05:56Z https://community.splunk.com/t5/Splunk-Search/Linecount-issue-when-searching-logs/m-p/30254#M178002 <P>I have a question regarding a search I am trying to compose.</P> <P>Here is a snipped from the logs:</P> <PRE><CODE>Tue Jan 18 13:50:01 UTC 2011 /opt/OXRS/blahblahblah/oxrs-flex/rpt threshold check query succeeded at /opt/OXRS/INFO-CRON/oxrs-flex/rpt/rpt_send_notification_email.pl line 65. Log DB handle successfully connected send_to_email [support@dnottellingyou.com] Inserting a record into the notification table send_to_email [billing@nopetryagain.com] Inserting a record into the notification table send_to_email [heynow@heynow.com] Inserting a record into the notification table All done! </CODE></PRE> <P>so, all i want out of this log is to know every time that send_to_email is printed in this logs. that indicates an email went out. I eventually want to get a count of all the emails went out, so counting send_to_email is the best option. So far my search looks like this:</P> <PRE><CODE>sourcetype="Cron_SendNotificationEmail" source="*info*" starthoursago="24" send_to_email: </CODE></PRE> <P>I have tried using the field extractor to make send_to_email a field, but it did not work out as expected. I also tried making this an eventtype. I was able to make send_to_email an eventtype so I could use it for searching, but then I noticed something.</P> <P>LINECOUNT! I'm having issue with the linecount. Meaning, splunk will find a log entry and only count finding send_to_email ONCE when right there in front of you in black and white you clearly see send_to_email 3 TIMES....but splunk only counts it as one "event"</P> <P>Case in point the example above splunk only sees as 1 event and only counts send_to_email once, not 3 times...</P> <P>How on earth do I fix this? Do I have to use props.conf? </P> Sat, 22 Jan 2011 00:07:14 GMT https://community.splunk.com/t5/Splunk-Search/Linecount-issue-when-searching-logs/m-p/30254#M178002 gnovak 2011-01-22T00:07:14Z https://community.splunk.com/t5/Splunk-Search/Linecount-issue-when-searching-logs/m-p/30255#M178003 <P>Sure, try this:</P> <PRE><CODE>sourcetype="Cron_SendNotificationEmail" source="*info*" starthoursago="24" | rex max_match=10 "send_to_email \[(?P&lt;send_to_email&gt;\S+)\]" </CODE></PRE> <P>If you want to match more than 10, just increase the <CODE>max_match</CODE> value.</P> <P>Hope that helps.</P> Sat, 22 Jan 2011 01:05:56 GMT https://community.splunk.com/t5/Splunk-Search/Linecount-issue-when-searching-logs/m-p/30255#M178003 Lamar 2011-01-22T01:05:56Z