https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142425#M39541 <P>Try this:</P> <P><CODE>search |rex ".*(?P&lt;UnableCart&gt;unable.*)" |table UnableCart</CODE></P> Fri, 07 Feb 2014 20:12:10 GMT lukejadamec 2014-02-07T20:12:10Z https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142424#M39540 <P>Hello</P> <P>I am trying to pull a text string out of some raw results using a simple regex. Heres my question: I would like to be able to get a stats count on the number of occurrances of this string. i would assume that you would have to put it into another field as it is simple text at the moment and not in a field. How would I do this? I am new to the rex/regex portion of Splunk and could use a little guidance.</P> <P>Here is the raw data:</P> <PRE><CODE>log_source=TT.WebService.Internal.OrderIntegration.OrderIntegration - Unable to reserve shopping cart: Attempt to add tickets to the shopping cart resulted in a failure due to tickets no longer being on the exchange. TT.Logic.TicketsNotFoundException: Exception of type 'TT.Logic.TicketsNotFoundException' was thrown. </CODE></PRE> <P>I used \bUnable\b.* to get just the sentence "Unable to reserve shopping cart: Attempt to add tickets to the shopping cart resulted in a failure due to tickets no longer being on the exchange."</P> <P>I tried using "rex field=_raw...." and also creating a field named error like "rex field=error mode=sed" but am still not doing something correctly.</P> <P>Any advice would be appreciated, thank you!</P> Fri, 07 Feb 2014 19:33:21 GMT https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142424#M39540 tkwaller 2014-02-07T19:33:21Z https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142425#M39541 <P>Try this:</P> <P><CODE>search |rex ".*(?P&lt;UnableCart&gt;unable.*)" |table UnableCart</CODE></P> Fri, 07 Feb 2014 20:12:10 GMT https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142425#M39541 lukejadamec 2014-02-07T20:12:10Z https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142426#M39542 <P>Are you trying to count the number of events that contain a certain string, or are you trying to count the number of times a certain string appears in one event?</P> Fri, 07 Feb 2014 20:12:34 GMT https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142426#M39542 martin_mueller 2014-02-07T20:12:34Z https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142427#M39543 <P>I am trying to count the number of events that contain this string</P> Fri, 07 Feb 2014 20:48:23 GMT https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142427#M39543 tkwaller 2014-02-07T20:48:23Z https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142428#M39544 <P>In order to count events containing a certain string, try something like this:</P> <PRE><CODE>index=foo sourcetype=bar "a certain string" | stats count </CODE></PRE> Fri, 07 Feb 2014 20:50:26 GMT https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142428#M39544 martin_mueller 2014-02-07T20:50:26Z https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142429#M39545 <P>Getting closer. I think I can move forward from here through trial and error. Thanks so much for the guidance</P> Fri, 07 Feb 2014 20:53:07 GMT https://community.splunk.com/t5/Splunk-Search/Rex-RegEx-Question/m-p/142429#M39545 tkwaller 2014-02-07T20:53:07Z