Solved: Summing multiple matches with rex command

jbrenner · ‎04-23-2021

I have a pattern of text that appears in a log statement multiple times.

Here is an example:

RandomStuff|LoginCount=5|RandomStuff|LoginCount=3|More RandomStuff|LoginCount=4|YetMoreRandomStuff

How can I use the rex command to get a sum of all the LoginCount values (which would total 12 in this example)?

Thanks!

Jonathan

ITWhisperer · ‎04-23-2021

| makeresults 
| eval _raw="RandomStuff|LoginCount=5|RandomStuff|LoginCount=3|More RandomStuff|LoginCount=4|YetMoreRandomStuff
RandomStuff|LoginCount=6|RandomStuff|LoginCount=7|More RandomStuff|LoginCount=3|YetMoreRandomStuff"
| multikv noheader=t
| fields _*



| rex max_match=0 "LoginCount=(?<logincount>\d+)"
| streamstats count as row
| eventstats sum(logincount) as logincount by row
| fields - row

View solution in original post

ITWhisperer · ‎04-23-2021

| makeresults 
| eval _raw="RandomStuff|LoginCount=5|RandomStuff|LoginCount=3|More RandomStuff|LoginCount=4|YetMoreRandomStuff
RandomStuff|LoginCount=6|RandomStuff|LoginCount=7|More RandomStuff|LoginCount=3|YetMoreRandomStuff"
| multikv noheader=t
| fields _*



| rex max_match=0 "LoginCount=(?<logincount>\d+)"
| streamstats count as row
| eventstats sum(logincount) as logincount by row
| fields - row

jbrenner · ‎04-29-2021

Thank you! This is exactly what I needed!

jbrenner · ‎04-23-2021

I forgot to mention that I don't know how many times LoginCount will appear in any particular log statement. The number of instances will vary.

Summing multiple matches with rex command

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms