I have a search in the form of:
index=mail sourcetype=a_mail | stats count by subject | sort -count
This displays the subject lines of all emails in the past, let's say, 1 week. The subject lines are like:
line 1: aaa bbb ccc ddd
line 2: xxx aaa bbb yyy
line 3: aaa xxx rrr ggg
I wish to count the number of times aaa occurs in all of the displayed subject lines, and the number of times bbb occurs etc. Please note that I'm not specifically looking for any particular word. I just want to count the different words and display them in order of decreasing frequency.
So far I have tried to remove spaces from the subject lines:
index=mail sourcetype=a_mail | stats count by subject | sort -count | rex mode=sed field=subject "s/ //g"
..and substituting the spaces with a delimiter like 'comma' instead. They storing them in 'kv' stores(?) and then counting the repetitions of words, but it's not working since I do not know how to implement kv stores yet. Any ideas are appreciated.
↧