https://community.splunk.com/t5/Splunk-Search/Count-values-in-multivalue-field-encoded-as-a-string/m-p/413081#M119106 <P>I have the following entry in several of my events:</P> <PRE><CODE>puppy_name = "Scout Windixie Spot" </CODE></PRE> <P>If it's not obvious already, this field, puppy_name, has 3 different values. It really should be:</P> <PRE><CODE>puppy_names = ["Scout", "Windixie", "Spot"] </CODE></PRE> <P>That said, I have a couple of questions: <BR /> <EM>Note</EM> if you can help me with question 2, then don't bother with 1<BR /> 1) What spl query can I construct to count the number of unique strings in <CODE>puppy_name</CODE> and put the result in a new field called <CODE>puppy_name_count</CODE>?<BR /> I have already tried:</P> <PRE><CODE>index="puppies" | eval puppy_name_count=mvcount(split(puppy_name, " ")) </CODE></PRE> <P>Assuming <CODE>split()</CODE> returns an array (although I can't say this for sure because I couldn't find any documentation on <CODE>split()</CODE>), I need something like:</P> <PRE><CODE>index="puppies" | eval puppy_name_count=array_length(split(puppy_name, " ")) </CODE></PRE> <P>Does anyone know how I can achieve this?</P> <P>2) Is there an spl query or splunk configuration I can write to automatically split in the different puppy names in puppy_name into something like: <CODE>puppys_name=["Scout", "Windixie", "Spot"]</CODE>?</P> Wed, 30 Sep 2020 01:30:07 GMT brinley 2020-09-30T01:30:07Z https://community.splunk.com/t5/Splunk-Search/Count-values-in-multivalue-field-encoded-as-a-string/m-p/413081#M119106 <P>I have the following entry in several of my events:</P> <PRE><CODE>puppy_name = "Scout Windixie Spot" </CODE></PRE> <P>If it's not obvious already, this field, puppy_name, has 3 different values. It really should be:</P> <PRE><CODE>puppy_names = ["Scout", "Windixie", "Spot"] </CODE></PRE> <P>That said, I have a couple of questions: <BR /> <EM>Note</EM> if you can help me with question 2, then don't bother with 1<BR /> 1) What spl query can I construct to count the number of unique strings in <CODE>puppy_name</CODE> and put the result in a new field called <CODE>puppy_name_count</CODE>?<BR /> I have already tried:</P> <PRE><CODE>index="puppies" | eval puppy_name_count=mvcount(split(puppy_name, " ")) </CODE></PRE> <P>Assuming <CODE>split()</CODE> returns an array (although I can't say this for sure because I couldn't find any documentation on <CODE>split()</CODE>), I need something like:</P> <PRE><CODE>index="puppies" | eval puppy_name_count=array_length(split(puppy_name, " ")) </CODE></PRE> <P>Does anyone know how I can achieve this?</P> <P>2) Is there an spl query or splunk configuration I can write to automatically split in the different puppy names in puppy_name into something like: <CODE>puppys_name=["Scout", "Windixie", "Spot"]</CODE>?</P> Wed, 30 Sep 2020 01:30:07 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-in-multivalue-field-encoded-as-a-string/m-p/413081#M119106 brinley 2020-09-30T01:30:07Z https://community.splunk.com/t5/Splunk-Search/Count-values-in-multivalue-field-encoded-as-a-string/m-p/413082#M119107 <P>This does work. So if that isn't working in your data then you have some hidden character. </P> <PRE><CODE>| makeresults | eval puppy_name = "Scout Windixie Spot" | eval nameCount=mvcount(split(puppy_name," ")) </CODE></PRE> <P>Play around with field extraction to break them up similar to </P> <PRE><CODE>| makeresults | eval puppy_name = "Scout Windixie Spot" | rex field=puppy_name max_match=0 "(?P&lt;puppy_names&gt;[^\s\r\n]+)" | eval nameCount=mvcount(split(puppy_names," ")) </CODE></PRE> Wed, 24 Jul 2019 19:52:23 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-in-multivalue-field-encoded-as-a-string/m-p/413082#M119107 starcher 2019-07-24T19:52:23Z https://community.splunk.com/t5/Splunk-Search/Count-values-in-multivalue-field-encoded-as-a-string/m-p/413083#M119108 <P>Hi @brinley</P> <P>Check this</P> <P>To find the number of unique strings:</P> <PRE><CODE> | makeresults | eval puppy_name = "Scout Windixie Spot Scout" | makemv delim=" " puppy_name | eval puppy_name_count =mvcount(mvdedup(puppy_name)) | table puppy_name_count </CODE></PRE> <P>String in the required format:</P> <PRE><CODE>| makeresults | eval puppy_name = "Scout Windixie Spot Scout" | makemv delim=" " puppy_name | eval puppy_name =mvdedup(puppy_name) | mvexpand puppy_name | eval puppy_name = "\"".puppy_name."\"" | mvcombine puppy_name delim="," | nomv puppy_name | eval puppy_name = "[".puppy_name."]" | table puppy_name </CODE></PRE> Thu, 25 Jul 2019 03:42:56 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-in-multivalue-field-encoded-as-a-string/m-p/413083#M119108 vnravikumar 2019-07-25T03:42:56Z https://community.splunk.com/t5/Splunk-Search/Count-values-in-multivalue-field-encoded-as-a-string/m-p/413084#M119109 <P>1) <BR /> | makeresults<BR /> | eval puppy_name = "Scout Windixie Spot Spot" </P> <H2>| eval name_count = mvcount(mvdedup(split(puppy_name," ")))</H2> <P>2) it looks like a list in python, I'm not sure splunk has a function that converts a list string directly into a multi-valued field, I recommend parsing it first with a regular expression, like this:<BR /> | makeresults <BR /> | eval puppy_name ="['Scout', 'Windixie', 'Spot','Spot']" <BR /> | rex field=puppy_name "'(?P[^']+)'" max_match=0 <BR /> | eval name_count = mvcount(mvdedup(name))</P> <P>Hope that helps</P> Wed, 30 Sep 2020 01:30:24 GMT https://community.splunk.com/t5/Splunk-Search/Count-values-in-multivalue-field-encoded-as-a-string/m-p/413084#M119109 zillionlee 2020-09-30T01:30:24Z