Get pattern count in a log line

lain179 · ‎06-13-2013

Hi,

I have log lines that looks like this

Fetching documents "FileName1.doc", "FileName2.xls", "FileName10.jpg", FileName342.docx" <ProcessID>

My goal is to find how many file names there are per ProcessID, given that each name is quoted and separated by a comma and a space. How can I accomplish that?

Thanks!

Gilberto_Castil · ‎06-13-2013

If the file names are bound by the phrase "Fetching Documents" and the "<ProcessID>", then capturing the names, converting to a list and then enumerating the items in that list will do.

At search time you can catch the data with a runtime extraction:

sourcetype="answers-1371175757" | rex field=_raw "Fetching\sdocuments\s(?<FileNames>.+?)\s+\<(?<ProcessID>.+?)\>" | table FileNames ProcessID

There are, of course, multiple ways of doing that efficiently and you can always improve on that method. This will render something like this:

Instead of a table use makemv to convert the field to a list -ensure you delimit the members of the list by a comma.

| makemv delim="," FileNames

At this point, enumerate using stats:

 | stats count(FileNames) AS count by ProcessID

All together, it should look something like this:

sourcetype="answers-1371175757" | rex field=_raw "Fetching\sdocuments\s(?<FileNames>.+?)\s+\<(?<ProcessID>.+?)\>" | makemv delim="," FileNames | stats count(FileNames) AS count by ProcessID

And, it should produce something like this:

gc

Get pattern count in a log line

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team