I think it works i just re work the command like that

index=source | rex field=_raw "\]\s+(?<informations>\S+)\s+(?<ID>[^\-]+)"| chart count over ID by informations

Thanks :). But if one day the words INFO, ERROR or WARN are not followed anymore by the ID, it will not work isn't ?

. My regex just means, after ]extract the informationsfield, and after that field, take all caracters, except the -, and create a ID field with that values.

This means that, if INFO, ERROR or WARN are not followed by ID, the informations field will still be extracted, but the ID field will be populated with wrong values

Thanks

Do not forget to accept the answer, if are satisfy .

please add your comment under the answer.

ok i think i have updated my query. Test it again, and let me know

Steel not working. How can you catch the different type of events without use INFO, ERROR, WARN it in the regexe ?

(Because i told you the _raw are like that
text ERROR text
text ERROR text
text INFO text
text WARN text)

thanks

test this and let me know if your values are extracted.

         index=...|rex field=_raw "[^\n]+\s+(?<myfield>\w+)\s+"|table myfield

if not working, let me get a sample event please.

it's like that, in bold this is the field ID. The information I want is for each ID how many INFO, ERROR and WARN

2015-06-10 17:20:37,838 [Thread] INFO c.b.w.a.c.AbstractRepository - SE_USE_TTL was not specified. Defaulting to: false

2015-06-10 17:21:37,838 [Thread] ERROR c.b.w.a.c.AbstractRepository - SE_USE_TTL was not specified. Defaulting to: false

2015-06-10 17:22:37,838 [Thread] WARN c.b.w.a.c.AbstractRepository - SE_USE_TTL was not specified. Defaulting to: trye

many thanks

Means, you also need to extrac the ID field. Here you go for the extraction:

...|rex field=_raw "\]\s+(?<informations>\S+)\s+(?<ID>[^\-]+)"|table ID informations