https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339493#M100680 <P>That appears to have worked but why?<BR /> If <BR /> cat= FFIEC; PPI<BR /> and <BR /> cat= PPI</P> <P>There is no ; or " " on the second value so why would the "; " be any different than ";"?</P> Tue, 17 Apr 2018 14:37:11 GMT aarontmartin165 2018-04-17T14:37:11Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339487#M100674 <P>I have a field <EM>cat</EM> which may display multiple fields of varying count <EM>FFIEC, GLBA, PPI</EM> or just <EM>PPI</EM> so there is no set count to the multivalue fields. I am attempting to count the number of times each unique value appears and graph it over time. My query is as follows:</P> <PRE><CODE>my query | eval Policies=split(cat,";") | timechart span=1h count by Policies </CODE></PRE> <P>My problem is that when the line chart is displayed there can be multiple lines for a <EM>Policy</EM> value. For example if the multivalue field returns 3 instances as follows</P> <BLOCKQUOTE> <P>FFIEC; GLBA; PPI<BR /> PPI<BR /> PPI<BR /> FFIEC; GLBA; PPI</P> </BLOCKQUOTE> <P>My line values would display PPI = 2 FFIEC = 2 GLBA= 2 PPI = 2</P> <P>What I am hoping to achieve is PPI=4 FFIEC=2 GLBA=2</P> <P>Can anyone identify the part of my query I have wrong? </P> Tue, 17 Apr 2018 13:38:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339487#M100674 aarontmartin165 2018-04-17T13:38:33Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339488#M100675 <P>what happens if you just mvexpand on policies before the timechart?</P> Tue, 17 Apr 2018 13:44:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339488#M100675 Sukisen1981 2018-04-17T13:44:35Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339489#M100676 <P>You should try adding a space in your split separator:</P> <PRE><CODE>my query | eval Policies=split(cat,"; ") | timechart span=1h count by Policies </CODE></PRE> Tue, 17 Apr 2018 13:46:05 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339489#M100676 damien_chillet 2018-04-17T13:46:05Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339490#M100677 <P>Can you try:</P> <PRE><CODE>my query | eval To_count=mvcount(split(cat,"; "))-1 | timechart span=1h values(To_count) by Policies </CODE></PRE> Tue, 17 Apr 2018 13:47:14 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339490#M100677 p_gurav 2018-04-17T13:47:14Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339491#M100678 <P>Use <A href="http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Mvexpand">mvexpand</A> to create an event for each multi value value. You'll be able create a timechart with a line for each distict policy:</P> <PRE><CODE>my query | eval Policies=split(cat,";") | mvexpand Policies | timechart span=1h count by Policies </CODE></PRE> Tue, 17 Apr 2018 14:07:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339491#M100678 evsmt 2018-04-17T14:07:15Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339492#M100679 <P>Why would I use the -1?</P> Tue, 17 Apr 2018 14:35:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339492#M100679 aarontmartin165 2018-04-17T14:35:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339493#M100680 <P>That appears to have worked but why?<BR /> If <BR /> cat= FFIEC; PPI<BR /> and <BR /> cat= PPI</P> <P>There is no ; or " " on the second value so why would the "; " be any different than ";"?</P> Tue, 17 Apr 2018 14:37:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339493#M100680 aarontmartin165 2018-04-17T14:37:11Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339494#M100681 <P>split function will create a value for the multivalve field overtime it meets the splitter.<BR /> So, in first case "cat=FFIEC; PPI" it will return "FFIEC" and " PPI" if you use ";"<BR /> In second case it will just return "PPI" because nothing to split.</P> Tue, 17 Apr 2018 14:45:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339494#M100681 damien_chillet 2018-04-17T14:45:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339495#M100682 <P>Got it, I was thinking that leading spaces would be dropped but as I read your explanation I realize I had no reason I should have expected that.</P> Tue, 17 Apr 2018 15:13:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-unique-values-in-a-multi-value-field/m-p/339495#M100682 aarontmartin165 2018-04-17T15:13:57Z