https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115763#M30715 <P>I futzed around with the rex Marco sent and it worked. Just for historical purposes, the rex for this is:<BR /> rex "User\s&lt;(?<USER>[^&gt;]+)&gt;" | stats count by user<BR /> Thanks again.</USER></P> Wed, 02 Apr 2014 16:54:40 GMT jpvh12345 2014-04-02T16:54:40Z https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115759#M30711 <P>I have single-line log entries that come into splunk looking like this:<BR /> Apr 1 12:34:09 10.1.9.254 %ASA-4-722051: Group <FBTMGMT> User <SAMARTINEZ2> IP &lt;108.81.41.121&gt; Address &lt;172.31.255.91&gt; assigned to session<BR /> Each entry represents a single login.<BR /> I would like to have a count of all log entries with individual names that follow in the &lt;&gt; after the "User" phrase. User is not a field defined so it has to be done with a rex or something at search time.<BR /> The last thing I've tried is:<BR /> | rex field=_raw "User\s(?<USER>)" | stats count by _raw<BR /> but all I get with this is a listing of the individual log entries.</USER></SAMARTINEZ2></FBTMGMT></P> Tue, 01 Apr 2014 22:25:01 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115759#M30711 jpvh12345 2014-04-01T22:25:01Z https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115760#M30712 <P>Search something like </P> <P>Group user ip assignment to session | stats count as "login number"</P> <P>That's it. </P> <P>If instead you want to really use "Rex" you can do something like </P> <P>....| rex "User\s&lt;(?<USER>[^&gt;]+)&gt; | stats count(user)</USER></P> <P>And forget _raw.</P> <P>Marco</P> Tue, 01 Apr 2014 23:31:30 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115760#M30712 marcoscala 2014-04-01T23:31:30Z https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115761#M30713 <P>you are correct. But you only miss a small thing in count.</P> <P><CODE>|stats count by user</CODE></P> Wed, 02 Apr 2014 05:23:11 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115761#M30713 linu1988 2014-04-02T05:23:11Z https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115762#M30714 <P>Thank you, but no, I had already tried stats count by user and that didn't work.</P> Wed, 02 Apr 2014 16:47:56 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115762#M30714 jpvh12345 2014-04-02T16:47:56Z https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115763#M30715 <P>I futzed around with the rex Marco sent and it worked. Just for historical purposes, the rex for this is:<BR /> rex "User\s&lt;(?<USER>[^&gt;]+)&gt;" | stats count by user<BR /> Thanks again.</USER></P> Wed, 02 Apr 2014 16:54:40 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115763#M30715 jpvh12345 2014-04-02T16:54:40Z https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115764#M30716 <P>sorry folks for some confusion.. I was writing from my iPad and there was some extra capitalization due to autocorrect....<BR /> Marco</P> Wed, 02 Apr 2014 17:04:44 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115764#M30716 marcoscala 2014-04-02T17:04:44Z https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115765#M30717 <P>good job.<BR /> in that way you have the different login for each different user. My stats was counting all events where the field user had a value.</P> <P>Marco</P> Wed, 02 Apr 2014 17:06:14 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-rex-and-stats-count/m-p/115765#M30717 marcoscala 2014-04-02T17:06:14Z