Splunk Search

How do I use rex to extract fields from my sample data and get the count?

melodyqu2015
New Member

I want to extract fields.

This is the log:

country=us,name = [peter, susan, jack],city=nyc

When I do this:

| table name

The result is:
[peter

How do I use rex to extract names and get the count of name, which the output should be 3.

Thanks!

0 Karma

MuS
Legend

Hi melodyqu2015,

based on the provided examples you can use this rex to get the fields:

your search here to get the results 
| rex field=name max_match=0 "[\[\s](?<name>\w+)[,\]]" 
| stats count(name) AS count 

The result for the example will be count=3 as you can see in this run everywhere search (the first line is just needed to build the dummy event):

| gentimes start=-1 | eval foo=" country=us,name = [peter, susan, jack],city=nyc" 
| rex field=foo max_match=0 "[\[\s](?<name>\w+)[,\]]" 
| stats count(name) AS count

Hope this helps ...

cheers, MuS

0 Karma

melodyqu2015
New Member

Hi, thank you! I tried, but it didn't work.

I tried to search the following one and want to see if I extract correctly. I want the result has three names and then I can use "split" and "count" to get the final result. But I got stuck when extract and get null result here.

 | rex field=_raw ".*name=\[(?.*)\]+, city="  | table  name

Do you know how can I fix this?

Thanks!

0 Karma

MuS
Legend

Why not using the regex I provided to you? Yours will not match and does not work, because it contains an invalid group structure and an unmatched parenthesis.

You can test your regex at www.regex101.com

0 Karma

melodyqu2015
New Member

Your code works, but it didn't work for this log:

Amount = null,Id = sdf23sdfwieu-wejsidvuoiwue-2082rd,title = [aaa:titlebase:title#123123-2323-23223-2323-2323dfwe, aaa:titlebase:title#sdsdf-45453-dfgs-565-fgfg, aaa:titlebase:title#12dfwwe-df4f-345-8978-feferf],number = sdfi3i4rhjf-wekhsdifuh43-sdfoiueh,Uri = 3rjhoe8fu9-rhwufhwef-34piruheruf

And if I do

my search |table title

the result is just:

[aaa:titlebase:title#123123-2323-23223-2323-2323dfwe

How can I get count of title, for this case, the result should be 3.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...