Solved: Re: Regex Stats count Help

valpravin · ‎03-25-2018

Hi All

I have String result as a

"Event":"BirthDay"
"Event":"MarriageAnniversary"
"Event":"NewYear"
"Event":"BirthDay"

when I do stats count by activity I want to get results as:

BirthDay : 2
MarriageAnniversary : 1
NewYear : 1

Tried Like this but no help

| rex field=_raw "\?Event=(?"":"\w+")" | stats count by Event

tiagofbmm · ‎03-25-2018

Hello

Please try this one

| rex field=_raw "\"Event\"\:\"(?<Activity>[^\"]*)"

View solution in original post

richgalloway · ‎03-25-2018

When writing regular expressions or other code in questions, answers, or comments it's best to enclose them in backtic characters (`) so they don't get dropped. You can also highlight your code and click the "101010" button.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎03-25-2018

Your regex string is a little off. Try this one. You may need to insert additional backslashes to make rex happy. It can be tricky to create a regex with quotes in it.

| rex "Event\":\"(?<Event>\w+)\"" | ...

---
If this reply helps you, Karma would be appreciated.

tiagofbmm · ‎03-25-2018

Hello

Please try this one

| rex field=_raw "\"Event\"\:\"(?<Activity>[^\"]*)"

Regex Stats count Help

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation