topic Re: Count of values in a multi-value field in Splunk Search

Count of values in a multi-value field

hpendela — Fri, 18 Jan 2019 23:15:00 GMT

Log lines:
k1=doesn't matter, k2=doesn't matter, k3=[v3, v4]
k1=doesn't matter, k2=doesn't matter, k3=[v5, v4, v6]
k1=doesn't matter, k2=doesn't matter, k3=[v5, v6, v9, v4]

Expected output:

v4 => 3
v5 => 2
v6 => 2
v3 => 1
v9 => 1

Re: Count of values in a multi-value field

renjith_nair — Sat, 19 Jan 2019 03:14:21 GMT

@hpendela,

Try

"your base search" | rex field=k3 max_match=0 (?<vals>\w\d+)|stats count by vals

If you have more than one character in v , change the grouping part as (?<vals>\w+\d+)

Re: Count of values in a multi-value field

vnravikumar — Sat, 19 Jan 2019 04:15:24 GMT

Hi @hpendela

Please try

| makeresults 
| eval log="k1=doesn't matter, k2=doesn't matter, k3=[v3, v4];
k1=doesn't matter, k2=doesn't matter, k3=[v5, v4, v6];
k1=doesn't matter, k2=doesn't matter, k3=[v5, v6, v9, v4]" 
| makemv delim=";" log 
| mvexpand log 
| rex field=log "k3=\[(?P<k3>(.*))]" 
| makemv delim="," k3 
| eval k3= ltrim(k3) 
| stats count by k3