Splunk code to find Error description :
index="inputfile" | rex "^(?P<reasoncode>[^\t]*)" | rex max_match=0 "<messageString>(?<reasoncode>[^\\<\"]*)" | eval reason_sub_code=substr(reasoncode,1,7)|stats count by reasoncode
---------- Results as Expected : Working as EXPECTED-----------
reasoncode " count"
DPR-ERR-2070 the service monitorService did not stop within a reasonable amount of time 2
DPR-DPR-1026 Unable to register the dispatcher in Content Manager. 2
DPR-DPR-2002 Unable to find 2
Splunk code to find Error code counts only:
index="inputfile" | rex "^(?P<reasoncode>[^\t]*)" | rex max_match=0 "<messageString>(?<reasoncode>[^\\<\"]*)" | eval reason_sub_code=substr(reasoncode,1,12)|stats count by reason_sub_code
----Actual Output: NOT Working as EXPECTED--------------
reasoncode " count"
DPR-ERR-2070 2
Expected Output:
reasoncode " count"
DPR-ERR-2070 2
DPR-DPR-1026 2
DPR-DPR-2002 2
Give this a try
index="inputfile" | rex max_match=0 "\<messageString\>(?<reason_sub_code>\S+)" |stats count by reason_sub_code