splunk query for counting based on regex

Question

My sample log looks like below

fixed message: 443-343-234-event-put
fixed message: wre-sdfsdf-234-event-keep-alive
fixed message: dg34-343-234-event-auth_revoked
fixed message: qqqq-sdf-234-event-put
fixed message: wre-r323-234-event-keep-alive
fixed message: we33-343-234-event-auth_revoked

log pattern is "fixed message: {UUID}-{event-type}"

I would like to capture how many total events; out of those how many are event-put, event-keep-alive and event-auth_revoked

can I have splunk query to capture above needs ?

Answer 1

You can use rex to prototype a field extraction, so you can try it out first

rex "fixed message: (?P<UUID>\w+-\w+\w+)-(?P<event>.*)"

So you can do this:

search terms | rex "fixed message: (?P<UUID>[^-+]-[^-+]-[^-+])-(?P<event>.*)" | stats count by event

Then you can read the documentation to make it where you don't need to always do the rex command with your searches. So the field extraction happens automatially.