Solved: Summing multiple matches with rex command

jbrenner · ‎04-23-2021

I have a pattern of text that appears in a log statement multiple times.

Here is an example:

RandomStuff|LoginCount=5|RandomStuff|LoginCount=3|More RandomStuff|LoginCount=4|YetMoreRandomStuff

How can I use the rex command to get a sum of all the LoginCount values (which would total 12 in this example)?

Thanks!

Jonathan

ITWhisperer · ‎04-23-2021

| makeresults 
| eval _raw="RandomStuff|LoginCount=5|RandomStuff|LoginCount=3|More RandomStuff|LoginCount=4|YetMoreRandomStuff
RandomStuff|LoginCount=6|RandomStuff|LoginCount=7|More RandomStuff|LoginCount=3|YetMoreRandomStuff"
| multikv noheader=t
| fields _*



| rex max_match=0 "LoginCount=(?<logincount>\d+)"
| streamstats count as row
| eventstats sum(logincount) as logincount by row
| fields - row

View solution in original post

ITWhisperer · ‎04-23-2021

| makeresults 
| eval _raw="RandomStuff|LoginCount=5|RandomStuff|LoginCount=3|More RandomStuff|LoginCount=4|YetMoreRandomStuff
RandomStuff|LoginCount=6|RandomStuff|LoginCount=7|More RandomStuff|LoginCount=3|YetMoreRandomStuff"
| multikv noheader=t
| fields _*



| rex max_match=0 "LoginCount=(?<logincount>\d+)"
| streamstats count as row
| eventstats sum(logincount) as logincount by row
| fields - row

jbrenner · ‎04-29-2021

Thank you! This is exactly what I needed!

jbrenner · ‎04-23-2021

I forgot to mention that I don't know how many times LoginCount will appear in any particular log statement. The number of instances will vary.

Summing multiple matches with rex command

other

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?