https://community.splunk.com/t5/Splunk-Search/Search-Stats-with-raw-field/m-p/605643#M210617 <P>Check that the method field has actually been extracted</P> Thu, 14 Jul 2022 16:27:55 GMT ITWhisperer 2022-07-14T16:27:55Z https://community.splunk.com/t5/Splunk-Search/Search-Stats-with-raw-field/m-p/605639#M210615 <P>Hello,&nbsp;</P><P>In my search I'm trying to get a series of events (transact - which is in the _raw field) counted out by another field in _raw for GET or POST. This is what I'm currently using:&nbsp;</P><P>host="EXAMPLE-*" sourcetype=Hex4 /ps/* | rex mode=sed field=_raw "s/(\S+)(tx_\S+)(\/\S+)/\1trans\3/g" | rex mode=sed field=_raw "s/(\S+)(nce_\S+)(\/\S+)/\1nce\3/g" | rex mode=sed field=_raw "s/(\S+)(dce_\S+)(\/\S+)/\1dvc\3/g" | rex "POST (?&lt;transact&gt;\S+)" | stats count(eval(method="GET")) as GET, count(eval(method="POST")) as POST by transact</P><P>It does bring up the transactions and columns for GET and POST, but the counts are blank so I know I'm doing something wrong.&nbsp;</P><P>Any help would be greatly appreciated!</P><P>Thank you!</P> Thu, 14 Jul 2022 16:12:33 GMT https://community.splunk.com/t5/Splunk-Search/Search-Stats-with-raw-field/m-p/605639#M210615 mcscjlf 2022-07-14T16:12:33Z https://community.splunk.com/t5/Splunk-Search/Search-Stats-with-raw-field/m-p/605643#M210617 <P>Check that the method field has actually been extracted</P> Thu, 14 Jul 2022 16:27:55 GMT https://community.splunk.com/t5/Splunk-Search/Search-Stats-with-raw-field/m-p/605643#M210617 ITWhisperer 2022-07-14T16:27:55Z