Make sure you're actually extracting fields from those JSON events.

That was exactly the problem, thank you so much Martin! I used the interactive field extractor to extract the actions field, and it works now.

Searching for the term CREATE will work as long as no other fields contain that term.

What happens when you run this:

sourcetype=foo | table _time action

Do you get a column action? Does each row contain multiple values underneath each other or one long string?

He means this:

sourcetype=foo | table _time actions

When I try sourcetype=foo | table _time actions

I get a column _time populated with timestamps and an empty column actions (just blank).

Thanks Martin. Could you please explain what you mean by "if your actions field is correctly extracted as an mv field"? What's the correct way to extract an mv field?

While the above expression didn't work for me, I used something similar and successfully got the count of all events containing a CREATE action. This is what worked:

sourcetype=foo CREATE | stats count as "Number of File Creations"

For some reason it didn't like the actions=CREATE. Any idea why?

If actions is a multivalue field as specified in the question then treating it as a huge string is not worth bonus karma points 😛

I suppose it could be condensed to this:

source_type=source | eval len=length(actions) | eval copy=actions| rex field=copy mode=sed "s/CREATE//g" | eval numValues= (len - len(copy)) / 6

Thanks for your reply woodcock! I tried this out but it didn't work for me. Perhaps what's missing is the stats count portion?