Like this:
index=_* sourcetype="audittrail"
| rex "(?ms)search='(?<search>.*)$$"
| rex field=search mode=sed "s/', autojoin='1',.*$$//"
| regex search="(^|[\s\\r\n(])sourcetype\s*=\s*\"?(?i)(wmi:)?(win|xml)eventlog(\*|:\*|:system|:security|:application)"
| stats dc(search)
Like this:
index=_* sourcetype="audittrail"
| rex "(?ms)search='(?<search>.*)$$"
| rex field=search mode=sed "s/', autojoin='1',.*$$//"
| regex search="(^|[\s\\r\n(])sourcetype\s*=\s*\"?(?i)(wmi:)?(win|xml)eventlog(\*|:\*|:system|:security|:application)"
| stats dc(search)
Thank you very much!
... | stats dc(someField)