I've got some events with some lines in it that I don't want displayed, so I'm removing those with a rex sed statement inline to the search. The trick is that I want the linecount to also update. Is there any way to do this? My generic search is below, though it could be any sed statement to remove lines.
search expression
| rex mode=sed "s/[\n\r]*\s*at .*//g"
| rex mode=sed "s/[\n\r]*\s*java.*//g"
You can do it in one line like this:
... | eval linecount=mvcount(split(_raw, "
"))
Or this:
... | eval linecount=len(_raw) - len(replace(_raw, "[\r\n]+", "")) + 1
Give this a try. It's very straight forward:
| rex max_match=0 "(?<linebreaks>\n+)"
| eval adjustedlinecount=mvcount(linebreaks)
It is extracting every line break in the event and then the adjustedlinecount field is counting how many linebreaks get returned on each event since the max_match is causing the linebreaks field to be multivalued.