I have single-line log entries that come into splunk looking like this:
Apr 1 12:34:09 10.1.9.254 %ASA-4-722051: Group
Each entry represents a single login.
I would like to have a count of all log entries with individual names that follow in the <> after the "User" phrase. User is not a field defined so it has to be done with a rex or something at search time.
The last thing I've tried is:
| rex field=_raw "User\s(?
but all I get with this is a listing of the individual log entries.
Search something like
Group user ip assignment to session | stats count as "login number"
If instead you want to really use "Rex" you can do something like
....| rex "User\s<(?
And forget _raw.
sorry folks for some confusion.. I was writing from my iPad and there was some extra capitalization due to autocorrect....
I futzed around with the rex Marco sent and it worked. Just for historical purposes, the rex for this is:
in that way you have the different login for each different user. My stats was counting all events where the field user had a value.