After extracting a field with rex, what is the mos...

pred15 · ‎07-14-2020

Hi, any help with this would be appreciated!

rex field=msg.message "loc=(?<place>\d+)" | search place="16" | stats count by "place"

The extracted field is place. The specific place I am searching for is "16". Is there a more efficient way to search for a specific place before calling stats?

richgalloway · ‎07-14-2020

Looks fine to me.

---
If this reply helps you, Karma would be appreciated.

pred15 · ‎07-14-2020

@richgalloway Is there any more efficient way to do this such as bypassing the field extraction if I am only looking for a singular specific "place"?

richgalloway · ‎07-14-2020

I'm not sure if it's "more efficient", but you could try this search. Compare this your other one using Job Inspector to see which works best.

| where match(msg.message, "loc=16")| stats count

---
If this reply helps you, Karma would be appreciated.

After extracting a field with rex, what is the most efficient way to call stats on a specific value within this field?

rex

stats

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

After extracting a field with rex, what is the most efficient way to call stats on a specific value within this field?

rex

stats

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?