https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374250#M109992 <P>Hi Woodcock! For the above table.Question1) find the count of all intents that do not have at least 1 value for the column CASE as WDC<BR /><BR /> Answer1) I would like the value as 0 for the intent -Out of the 4 tuples, all of the them have alteast one of the CASE Column value as WDC- . <BR /> 2nd Question)Find out count of all intents that match atleast one occurrence of CCC in Case field .<BR /> I would like the value as 1. Out of the 4 tuples, only one of them have the values as CCC for the column Case( 2nd record)</P> <P><STRONG>Column Case has multiple values for each record of intent</STRONG><STRONG>Each of the values in the column CASE are alphanumeric. Have to search by prefix i.e. WDC or CCC</STRONG></P> Wed, 02 May 2018 20:24:30 GMT venkatrajan04 2018-05-02T20:24:30Z https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374248#M109990 <P>Hello SPlunk team,<BR /> my base query returns something like the table below . I need to find the count of all intents that do not have the values for case column as WDC and also find out count of all intents that match CCC in Case field . Note- case field is a multi value field. <BR /> ID | Intent| Case<BR /> 111|reading|WDC-333<BR /> 122|reading|WDC-345,CCC-666,I -888<BR /> 123|reading|WDC-567,I-444<BR /> 155|reading|WDC-43, S-888,B-999</P> Wed, 02 May 2018 19:42:55 GMT https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374248#M109990 venkatrajan04 2018-05-02T19:42:55Z https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374249#M109991 <P>Give us a mockup of what you would like your final output data to be. I don't get it at all.</P> Wed, 02 May 2018 20:13:15 GMT https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374249#M109991 woodcock 2018-05-02T20:13:15Z https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374250#M109992 <P>Hi Woodcock! For the above table.Question1) find the count of all intents that do not have at least 1 value for the column CASE as WDC<BR /><BR /> Answer1) I would like the value as 0 for the intent -Out of the 4 tuples, all of the them have alteast one of the CASE Column value as WDC- . <BR /> 2nd Question)Find out count of all intents that match atleast one occurrence of CCC in Case field .<BR /> I would like the value as 1. Out of the 4 tuples, only one of them have the values as CCC for the column Case( 2nd record)</P> <P><STRONG>Column Case has multiple values for each record of intent</STRONG><STRONG>Each of the values in the column CASE are alphanumeric. Have to search by prefix i.e. WDC or CCC</STRONG></P> Wed, 02 May 2018 20:24:30 GMT https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374250#M109992 venkatrajan04 2018-05-02T20:24:30Z https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374251#M109993 <P>Like this:</P> <PRE><CODE>|makeresults | eval raw="111|reading|WDC-333:122|reading|WDC-345,CCC-666,I-888:123|reading|WDC-567,I-444:155|reading|WDC-43, S-888,B-999" | makemv delim=":" raw | mvexpand raw | rename raw AS _raw | rex "^(?&lt;ID&gt;[^\|]+)\|(?&lt;Intent&gt;[^\|]+)\|(?&lt;Case&gt;[^\|]+)$" | makemv delim="," Case | table ID Intent Case | rename COMMENT AS "Everything above generates sample event data; everything below is your solution." | eval CasePrefix = Case | rex field=CasePrefix mode=sed "s/-\d+$//" | chart count BY ID CasePrefix </CODE></PRE> Wed, 02 May 2018 20:36:10 GMT https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374251#M109993 woodcock 2018-05-02T20:36:10Z https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374252#M109994 <P>Thanks WoodcocK! What exactly does the sed command do ? </P> Wed, 02 May 2018 20:58:09 GMT https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374252#M109994 venkatrajan04 2018-05-02T20:58:09Z https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374253#M109995 <P><A href="https://en.wikipedia.org/wiki/Sed">https://en.wikipedia.org/wiki/Sed</A></P> Wed, 02 May 2018 21:09:32 GMT https://community.splunk.com/t5/Splunk-Search/Multivalue-fields-Count-Values-that-match-a-value-in-multi-value/m-p/374253#M109995 woodcock 2018-05-02T21:09:32Z