How to get two fields using rex from log file?

Question

I'm newbie with Splunk. My goal is take two or more fields from logs. I must check if one field is true and so use another field to make a counter. The counter is about how many requests is make by client using user-agent attribute.

My logic desired:

int count1, count2;
count1 = 0;
count2 = 0;

if (GW == true) {
  if (UA == "user-agent1") count1++;
  if (UA == "user-agent2") count2++;
}

At the moment I can get just one field and make a counter without if-condition.

This query works fine, and return the correct requests counter:

source="logfile.log" | rex "UA=(?<ua>\w+)" | stats count(eval(ua="user-agent1")) as USER-AGENT1

But, when I try get the second field (GW) to make the logic, the query returns 0.

source="logsfile.log" | rex "UA=(?<ua>\w+) GW=(?<gw>\w+)" |stats count(eval(ua="user-agent1")) as USER-AGENT1

So, how I get more fields and how make if-condition on query?

Sample log:

2020-01-10 14:38:44,539 INFO  [http-nio-8080-exec-8] class:ControllerV1, UA=user-agent1, GW=true
2020-01-10 14:23:51,818 INFO  [http-nio-8080-exec-3] class:ControllerV1, UA=user-agent2, GW=true

Answer 1

It will be something like this:

source="logsfile.log" UA GW 
| rex "UA=(?<ua>\w+), GW=(?<gw>\w+)" 
| stats count(eval(gw="true" AND ua="user-agent1")) as AGENT1, 
        count(eval(gw="true" AND ua="user-agent2")) as AGENT2

If, for example, you do not know the order of variables or you have more than 2, you can use separate rex statements:

source="logsfile.log" UA GW 
| rex "UA=(?<ua>\w+)"
| rex "GW=(?<gw>\w+)" 
| stats count(eval(gw="true" AND ua="user-agent1")) as AGENT1, 
        count(eval(gw="true" AND ua="user-agent2")) as AGENT2

This could be a bit slower since _raw will be parsed twice.