I ran it to test and made a few tweaks:
index=* | eval mystring="24455,POST,http://localhost:8080/tienda1/publico/pagar.jsp,HTTP/1.1,Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.8 (like Gecko),no-cache,no-cache,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5,x-gzip, x-deflate, gzip, deflate,utf-8, utf-8;q=0.5, ;q=0.5,en,localhost:8080,close,103,application/x-www-form-urlencoded,JSESSIONID=12546061FC0154DC98FEC5A70E87F6B4,B1='; DROP TABLE usuarios; SELECT FROM datos WHERE nombre LIKE '%,anom"
| rex max_match=0 field=mystring "(?<keywords>SELECT|UPDATE|INSERT|CREATE|ALTER|RENAME|WHERE|DROP)"
| eval amount=mvcount(keywords)
| table mystring, keywords, amount
| rename amount as "No. of Keywords"
And that returns keywords of DROP, SELECT and WHERE and a count of 3.
For your data, you won't likely need a lot of that:
sourcetype=blah eventtype=bleh my base search here ...
| rex max_match=0 field=mystring "(?<keywords>SELECT|UPDATE|INSERT|CREATE|ALTER|RENAME|WHERE|DROP)"
| eval number_of_keywords=mvcount(keywords)
Give that a try and report back here to adaam94 on how it worked!
... View more