topic Re: How to use mvcount to get the accurate count of a keyword by source in Splunk Search

How to use mvcount to get the accurate count of a keyword by source

skakani114 — Wed, 30 Sep 2020 02:15:10 GMT

I have logs that have a keyword "*CLP" repeated multiple times in each event. I am trying the get the total counts of CLP in each event. here is the search I am using. The problem I am facing is this search is working fine with small size events but when it comes to large events with more CLP counts, the results are not accurate. please help me to get the accurate count?

index="idx" source="*TAPSSC_123.123"  "*CLP*" |eval tokens = lower(replace(_raw, "\W+", " ")) |makemv tokens |eval matches = mvfilter(match(tokens, "^clp$")) |eval count_CLP = mvcount(matches) |stats sum(count_CLP) as CLP_count by source

Log sample:
You will see CLP keyword like that repeated multiple times in an event.
abvfyatfpwutnqwa25~CLP*k123456*1REF*6T*P1282158997301~AMT*c120~CLP*P11802586130*1*356612125491516

Re: How to use mvcount to get the accurate count of a keyword by source

renjith_nair — Tue, 24 Sep 2019 04:36:18 GMT

@skakani114 ,

Try this and test against your data

index="idx" source="*TAPSSC_123.123" "CLP"
|rex field=_raw max_match=0 "(?<clps>(?i)(CLP))"|stats count by clps

Re: How to use mvcount to get the accurate count of a keyword by source

skakani114 — Wed, 25 Sep 2019 18:47:42 GMT

Thankyou so much for you help. i use this query and i am still not getting the accurate result. could you please suggest how to proceed?
is there any limits.conf to check ?