How to ensure the linecount is updated after remov...

kmorton · ‎05-17-2017

I've got some events with some lines in it that I don't want displayed, so I'm removing those with a rex sed statement inline to the search. The trick is that I want the linecount to also update. Is there any way to do this? My generic search is below, though it could be any sed statement to remove lines.

search expression
| rex mode=sed "s/[\n\r]*\s*at .*//g" 
| rex mode=sed "s/[\n\r]*\s*java.*//g"

woodcock · ‎04-07-2019

You can do it in one line like this:

... | eval linecount=mvcount(split(_raw, "
"))

Or this:

... | eval linecount=len(_raw) - len(replace(_raw, "[\r\n]+", "")) + 1

dmarling · ‎04-05-2019

Give this a try. It's very straight forward:

| rex max_match=0 "(?<linebreaks>\n+)"
| eval adjustedlinecount=mvcount(linebreaks)

It is extracting every line break in the event and then the adjustedlinecount field is counting how many linebreaks get returned on each event since the max_match is causing the linebreaks field to be multivalued.

If this comment/answer was helpful, please up vote it. Thank you.

How to ensure the linecount is updated after removing lines in a rex search?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!