I am searching for a list of regexes in a splunk alert like this:
... | regex "regex1|regex2|...regexn"
Can I modify this query to get a table of the regexes found along with their count. The table shouldn't show rows with 0 counts.
regex2 17
regexn 3
... | regex "regex1|regex2|...regexn"
| rex max_match=0 "(?<countfields>regex1|regex2|...regexn)"
| stats count by countfields
... | regex "regex1|regex2|...regexn"
| rex max_match=0 "(?<countfields>regex1|regex2|...regexn)"
| stats count by countfields
Great answer @to4kawa.
Looks like | regex line is not needed. This is working for me. Notice the extra brackets.
| rex max_match=0 "(?P<countfields>((regex1)|(regex2)|..|(regexn)))"
| stats count by countfields