https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562700#M196071 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237237">@Wendy</a>,<BR /><BR />You need to extract relevant values in the fields using rex and then use stats to count as per your requirements. Try this:</P><LI-CODE lang="markup">index=indexname | rex field=msg "(?&lt;message&gt;(Exception:\s)?(?i)Recaptcha\s(?&lt;version&gt;v\s?\d)[\w\W]+(successful|failure))" | eval version=replace(version, "\s+", ""), status=if(match(message, "Exception:"), "FAIL", "SUCCESS") | eventstats count as status_count by status | stats latest(_time) as _time, latest(*) as * count as message_count by message</LI-CODE><P>&nbsp;</P><P>If this reply helps you, a like would be appreciated.</P> Tue, 10 Aug 2021 02:23:06 GMT manjunathmeti 2021-08-10T02:23:06Z https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562693#M196067 <P>Hi experts, I am new to Splunk and came across this requirement at work.</P><P><STRONG>Requirement:</STRONG></P><P>I want to create a table showing numbers of 2 different versions of recaptcha being successfully and unsuccessfully processed.</P><P><STRONG>Current Log info: </STRONG></P><P>Each event has a field named "msg" which contains many information, including wording like "<SPAN><SPAN class="key level-1"><SPAN class="t string">Exception: recaptcha v 2 validation failure,</SPAN></SPAN></SPAN>" "<SPAN><SPAN class="key level-1"><SPAN class="t string">Exception: recaptcha v 3 validation failure", "Recaptcha v2 verification: successful", Recaptcha v3 verification: successful" based on different events. </SPAN></SPAN></SPAN></P><P><STRONG><SPAN class="key level-1"><SPAN class="t string">Tasks:<BR /></SPAN></SPAN></STRONG><SPAN class="key level-1"><SPAN class="t string">How can I create a regex expression to count number of all exceptions and number of different types of exceptions? </SPAN></SPAN><SPAN class="key level-1"><SPAN class="t string">Same tasks for successful message, but I can figure it out if someone can help with the previous question? </SPAN></SPAN></P><P><SPAN class="key level-1"><SPAN class="t string">Thank you.</SPAN></SPAN></P><P>&nbsp;</P> Tue, 10 Aug 2021 01:33:14 GMT https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562693#M196067 Wendy 2021-08-10T01:33:14Z https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562699#M196070 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237237">@Wendy</a>&nbsp;</P><P>can you share the sample raw event to write a regex. You can anonymize the critical info if any.</P> Tue, 10 Aug 2021 02:06:56 GMT https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562699#M196070 venkatasri 2021-08-10T02:06:56Z https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562700#M196071 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237237">@Wendy</a>,<BR /><BR />You need to extract relevant values in the fields using rex and then use stats to count as per your requirements. Try this:</P><LI-CODE lang="markup">index=indexname | rex field=msg "(?&lt;message&gt;(Exception:\s)?(?i)Recaptcha\s(?&lt;version&gt;v\s?\d)[\w\W]+(successful|failure))" | eval version=replace(version, "\s+", ""), status=if(match(message, "Exception:"), "FAIL", "SUCCESS") | eventstats count as status_count by status | stats latest(_time) as _time, latest(*) as * count as message_count by message</LI-CODE><P>&nbsp;</P><P>If this reply helps you, a like would be appreciated.</P> Tue, 10 Aug 2021 02:23:06 GMT https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562700#M196071 manjunathmeti 2021-08-10T02:23:06Z https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562734#M196080 <P>HI <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a> , that helps. I just need to dissemble your query to understand how it works.</P> Tue, 10 Aug 2021 13:01:03 GMT https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562734#M196080 Wendy 2021-08-10T13:01:03Z https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562753#M196087 <P>1. Extract fields&nbsp;message and&nbsp;version from&nbsp;msg using rex command. Check this slink for detailed regex explanation:&nbsp;&nbsp;<A title="https://regex101.com/r/VjmWn6/1/" href="https://regex101.com/r/VjmWn6/1/" target="_self">https://regex101.com/r/VjmWn6/1/</A>&nbsp;:</P><P><STRONG>| rex field=msg "(?&lt;message&gt;(Exception:\s)?(?i)Recaptcha\s(?&lt;version&gt;v\s?\d)[\w\W]+(successful|failure))"</STRONG></P><P>2. Remove whitespace in field version. Evaluate status to&nbsp;FAIL/SUCCESS based on&nbsp;message field values:</P><P><STRONG>| eval version=replace(version, "\s+", ""), status=if(match(message, "Exception:"), "FAIL", "SUCCESS") </STRONG></P><P>3. Count&nbsp;FAIL/SUCCESS status. Check this link for details on eventstats command <A href="https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Eventstats" target="_self">eventstats</A>&nbsp;.<BR /><STRONG>| eventstats count as status_count by status</STRONG><BR /><BR />4. Count events by the messages. Check this link for details on stats command&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats" target="_self">stats</A>&nbsp;.<BR /><STRONG>| stats latest(_time) as _time, latest(*) as * count as message_count by message</STRONG></P> Tue, 10 Aug 2021 15:22:28 GMT https://community.splunk.com/t5/Splunk-Search/Create-Statistic-Table-Based-on-Regex/m-p/562753#M196087 manjunathmeti 2021-08-10T15:22:28Z