Solved: Summing multiple matches with rex command

jbrenner · ‎04-23-2021

I have a pattern of text that appears in a log statement multiple times.

Here is an example:

RandomStuff|LoginCount=5|RandomStuff|LoginCount=3|More RandomStuff|LoginCount=4|YetMoreRandomStuff

How can I use the rex command to get a sum of all the LoginCount values (which would total 12 in this example)?

Thanks!

Jonathan

ITWhisperer · ‎04-23-2021

| makeresults 
| eval _raw="RandomStuff|LoginCount=5|RandomStuff|LoginCount=3|More RandomStuff|LoginCount=4|YetMoreRandomStuff
RandomStuff|LoginCount=6|RandomStuff|LoginCount=7|More RandomStuff|LoginCount=3|YetMoreRandomStuff"
| multikv noheader=t
| fields _*



| rex max_match=0 "LoginCount=(?<logincount>\d+)"
| streamstats count as row
| eventstats sum(logincount) as logincount by row
| fields - row

View solution in original post

ITWhisperer · ‎04-23-2021

| makeresults 
| eval _raw="RandomStuff|LoginCount=5|RandomStuff|LoginCount=3|More RandomStuff|LoginCount=4|YetMoreRandomStuff
RandomStuff|LoginCount=6|RandomStuff|LoginCount=7|More RandomStuff|LoginCount=3|YetMoreRandomStuff"
| multikv noheader=t
| fields _*



| rex max_match=0 "LoginCount=(?<logincount>\d+)"
| streamstats count as row
| eventstats sum(logincount) as logincount by row
| fields - row

jbrenner · ‎04-29-2021

Thank you! This is exactly what I needed!

jbrenner · ‎04-23-2021

I forgot to mention that I don't know how many times LoginCount will appear in any particular log statement. The number of instances will vary.

Summing multiple matches with rex command

other

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!