Sure thing, although I don't quite understand what you're representing when you have a timestamp on the same line with the count. Presumably, that usb_key wasn't seen 1936 times at a single moment - so you might give some thought to what that communicates. But certainly you know your intentions better than I do.

I think this should do it:

your base search
| rex max_match=0 "(^|\n)(?\/\S+\s\/\S+)"
| eval user_id=coalesce(user_id, uid)
| eventstats latest(user) AS user BY user_id
| eval usb_time=if(source="/etc/mtab", _time, NULL)
| stats latest(usb_time) AS _time, list(user) AS user, list(user_id) AS user_id, count BY usb_key

Hello @elliotproebstel,

I have 1936 times the usb_key Transcend and 2207 times others usb_key because I did tests with Transcend that was not mounted and the other keys that were.

Amir

Sure. Given the events above, do you want to use the time from the event that contained the name of the USB key? If so, I'd do this:

your base search
| rex max_match=0 "(^|\n)(?<usb_key>\/\S+\s\/\S+)"
| eval user_id=coalesce(user_id, uid)
| eval usb_time=if(source="/etc/mtab", _time, NULL)
| stats latest(usb_time) AS _time, list(user) AS user, list(usb_key) AS usb_key BY user_id

is it possible to display this by usb key with the number of times they appear each and uid and the user and the date ?

thank you
Amir

Does this work?

| rex "^(?<usb_key>\/\S+\s\/\S+)"

yes, it works for the first line /dev/sdb1 /media/Transcend but not for the 2 others.

it's well extracted to /dev/sdb1 /media/Transcend

but my main problem is to extract the 2 from below.

Sorry for the double post.

Got it. Does this work for you?

| rex "(^|\n)(?<usb_key>\/\S+\s\/\S+)"

it is the same problem it works but with the first line.

it extract me /dev/sdb1 /media/Transcend but not the 2 others.

Ahh, I was forgetting the max_match option, which may be biting us. Sorry for shooting in the dark a bit here, but I don't have access to a Splunk instance at the moment, so I can't test things before posting. I'm going to shotgun several options here, and you can test any/all of them:

First:

| rex max_match=0 "(?s)(?<usb_key>\/\S+\s\/\S+)"

Second:

| rex max_match=0 "(^|\n)(?<usb_key>\/\S+\s\/\S+)"

Third:

| rex max_match=0 "[\S\s](?<usb_key>\/\S+\s\/\S+)"

I'm hoping one of these works!

It's not a problem that, you take your time to help me on the contrary I'm happy to learn.

the first 2 are good, I have the 3 that are extracted.

Is it possible that you explain:

rex max_match = 0 "(^ | \ n) (? <usb_key> \ / \ S + \ s \ / \ S +)" and [\ S \ s] which is in the 2nd expression.

thank you
Amir

Great! And I'm happy to explain!

The snippet (^|\n) in the first is looking for ^, which means the start of the line OR \n, which is a newline character. I was figuring that the first line wouldn't be preceded by a newline, so we'd need ^ to grab the first one.

The [\S\s] was also a bit of a trick to look for any character at all (including a newline), because it matches on \S (any non-whitespace character) or \s (any whitespace character). But I expect it probably failed to grab the first line, since the first usb_key value had nothing at all before it. It might work if revised like this:

| rex max_match=0 "[\S\s]?(?<usb_key>\/\S+\s\/\S+)"

because that makes the [\S\s] optional (zero or one matches will pass).

ok thank you so much for your help @elliotproebstel .

I learned a lot today 🙂

Amir

My pleasure!