topic Re: Multiple value for the same field in one event.How to determine statistics in Splunk Search

Multiple value for the same field in one event.How to determine statistics

prettysunshinez — Thu, 18 Jun 2020 18:50:48 GMT

I have an event having 3 errors..
I have a regular expression written to capture the error as "ERROR".
And now i have a lookup file and I input the ERROR value and output Comments for the respective error.

I do not have issues when there is just one value for ERROR field in one event(i.e., if there is only one error in a event)
But when there are more than one error,then i get the result as below.
Kindly help..

Re: Multiple value for the same field in one event.How to determine statistics

to4kawa — Wed, 11 Mar 2020 13:38:58 GMT

"ERROR" field is multivalue?

Re: Multiple value for the same field in one event.How to determine statistics

prettysunshinez — Wed, 11 Mar 2020 14:43:43 GMT

Single value only

Re: Multiple value for the same field in one event.How to determine statistics

manjunathmeti — Wed, 11 Mar 2020 15:08:55 GMT

can you post your query?

Re: Multiple value for the same field in one event.How to determine statistics

prettysunshinez — Wed, 11 Mar 2020 16:02:21 GMT

index= |(regular expression to catch the error from the logs as ERROR) | lookup abc.csv ERROR output Comments |stats count by Comments

abc.csv:
ERROR Comments
Error1 abc
Error2 abc
Error3 bcd
Error4 bed
Error5 abc

Re: Multiple value for the same field in one event.How to determine statistics

prettysunshinez — Wed, 11 Mar 2020 18:02:18 GMT

Regular followed by max_match=0..
In order to capture all the occurences of ERROR

Re: Multiple value for the same field in one event.How to determine statistics

to4kawa — Wed, 11 Mar 2020 20:53:33 GMT

index=your_index 
|(regular expression to catch the error from the logs as ERROR) 
| stats count by ERROR
| lookup abc.csv ERROR output Comments

I see, this query excludes same ERROR
How about this?

In your last comment, |stats count by Comments
This result is following:

Comments count
abc  3
bcd  1
....

This result is not your first expect result.
Which do you want?

Re: Multiple value for the same field in one event.How to determine statistics

prettysunshinez — Thu, 12 Mar 2020 06:01:43 GMT

Am sorry I missed it..
I get the error also as part of output from lookup file..and i do statistics count and values based on ERROR..

Re: Multiple value for the same field in one event.How to determine statistics

woodcock — Sat, 14 Mar 2020 20:36:53 GMT

What you are describing is not possible unless you have a Lookup Definition with some extra settings in it. It is pointless to continue without you spelling out everything including at least 2 lines of your Lookup File and your search SPL and your Lookup Definition.

Re: Multiple value for the same field in one event.How to determine statistics

manjunathmeti — Mon, 16 Mar 2020 10:25:36 GMT

Expand ERROR values before lookup command.

index= |(regular expression to catch the error from the logs as ERROR) | mvexpand ERROR | lookup abc.csv ERROR output Comments |stats count by Comments

Re: Multiple value for the same field in one event.How to determine statistics

woodcock — Sun, 22 Mar 2020 18:43:53 GMT

Why are you being so vauge? Show us ALL of your search! The rex part is probably THE MOST IMPORTANT PART and yet you stripped it!?!?

Re: Multiple value for the same field in one event.How to determine statistics

woodcock — Sun, 22 Mar 2020 18:44:38 GMT

SHOW US THE FULL SEARCH SPL and a few sample events.