How to ensure the linecount is updated after remov...

kmorton · ‎05-17-2017

I've got some events with some lines in it that I don't want displayed, so I'm removing those with a rex sed statement inline to the search. The trick is that I want the linecount to also update. Is there any way to do this? My generic search is below, though it could be any sed statement to remove lines.

search expression
| rex mode=sed "s/[\n\r]*\s*at .*//g" 
| rex mode=sed "s/[\n\r]*\s*java.*//g"

woodcock · ‎04-07-2019

You can do it in one line like this:

... | eval linecount=mvcount(split(_raw, "
"))

Or this:

... | eval linecount=len(_raw) - len(replace(_raw, "[\r\n]+", "")) + 1

dmarling · ‎04-05-2019

Give this a try. It's very straight forward:

| rex max_match=0 "(?<linebreaks>\n+)"
| eval adjustedlinecount=mvcount(linebreaks)

It is extracting every line break in the event and then the adjustedlinecount field is counting how many linebreaks get returned on each event since the max_match is causing the linebreaks field to be multivalued.

If this comment/answer was helpful, please up vote it. Thank you.

How to ensure the linecount is updated after removing lines in a rex search?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

How to ensure the linecount is updated after removing lines in a rex search?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25