Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problem with rex and stats count

jpvh12345
New Member
‎04-01-2014 03:25 PM

I have single-line log entries that come into splunk looking like this:
Apr 1 12:34:09 10.1.9.254 %ASA-4-722051: Group User IP <108.81.41.121> Address <172.31.255.91> assigned to session
Each entry represents a single login.
I would like to have a count of all log entries with individual names that follow in the <> after the "User" phrase. User is not a field defined so it has to be done with a rex or something at search time.
The last thing I've tried is:
| rex field=_raw "User\s(?)" | stats count by _raw
but all I get with this is a listing of the individual log entries.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marcoscala
Builder
‎04-01-2014 04:31 PM

Search something like

Group user ip assignment to session | stats count as "login number"

That's it.

If instead you want to really use "Rex" you can do something like

....| rex "User\s<(?[^>]+)> | stats count(user)

And forget _raw.

Marco

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jpvh12345
New Member
‎04-02-2014 09:54 AM

I futzed around with the rex Marco sent and it worked. Just for historical purposes, the rex for this is:
rex "User\s<(?[^>]+)>" | stats count by user
Thanks again.

0 Karma
Reply
Solved! Jump to solution

marcoscala
Builder
‎04-02-2014 10:06 AM

good job.
in that way you have the different login for each different user. My stats was counting all events where the field user had a value.

Marco

0 Karma
Reply
Solved! Jump to solution

jpvh12345
New Member
‎04-02-2014 09:47 AM

Thank you, but no, I had already tried stats count by user and that didn't work.

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎04-01-2014 10:23 PM

you are correct. But you only miss a small thing in count.

|stats count by user

Reply
Solved! Jump to solution
Solution

marcoscala
Builder
‎04-01-2014 04:31 PM

Search something like

Group user ip assignment to session | stats count as "login number"

That's it.

If instead you want to really use "Rex" you can do something like

....| rex "User\s<(?[^>]+)> | stats count(user)

And forget _raw.

Marco

0 Karma
Reply
Solved! Jump to solution

marcoscala
Builder
‎04-02-2014 10:04 AM

sorry folks for some confusion.. I was writing from my iPad and there was some extra capitalization due to autocorrect....
Marco

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...