0

I am searching for a list of regexes in a splunk alert like this:

... | regex "regex1|regex2|...|regexn"

Can I modify this query to get a table of the regexes found along with their count. The table shouldn't show rows with 0 counts.

regex2 17
regexn 3
user674669
  • 10,681
  • 15
  • 72
  • 105

2 Answers2

1

The regex command merely filters events. All we know is each result passed the regular expression. There is no record or indication of why or how any event passed.

To do that, you'd have to extract a unique field or value from each regex and then test the resulting events to see which field or value was present. The regex command, however, does not extract anything. You'd need the rex command or the match function to do that.

RichG
  • 9,063
  • 2
  • 18
  • 29
  • Thanks @RichG, I wan to extract the entire regexi if it's present in the event. – user674669 Mar 27 '20 at 14:32
  • The `rex` command will extract the text that matches the regex, but not the regex itself. I'm not aware of any way to get the matching regex. – RichG Mar 27 '20 at 17:49
0

Looks like | regex line is not needed. This is working for me. Notice the extra brackets.

| rex max_match=0 "(?P<countfields>((regex1)|(regex2)|..|(regexn)))"
| stats count by countfields
user674669
  • 10,681
  • 15
  • 72
  • 105