https://community.splunk.com/t5/Splunk-Search/Count-of-events-by-field-where-field-has-multiple-instances-of/m-p/509481#M142383 <P>Hi there&nbsp;<BR /><BR />We presently have a setup where error codes are extracted and put into their own field.&nbsp; The way it's been setup is that we extract all instances where it matches a certain regex pattern (e.g. "ERROR-" -&gt; ERROR-1234, ERROR-5869 etc) meaning as the error code is repeated in the event we get multiple instances of the same item in the field (e.g. "ErrorField" = ERROR-1234, ERROR-1234, ERROR-5869).</P><P><SPAN>Doing 'stats count by ErrorField' seems to return all items, even the ones that are repeated as we'd get ERROR-1234 = 700 on the stats count, but a simple search where ErrorField=ERROR-1234 returns say 300 events only.</SPAN></P><P>I've tried to come up with a way to filter out the duplicates in the search but have so far come up short.&nbsp; My two possibles are creating a table of field instances, and then using that to launch a second search, or performing a sub search to capture the unique fields that are then used to count the events by field.&nbsp; What I have so far is as follows:<BR /><BR />index=index ErrorField="*"<BR />| stats count by ErrorField<BR />| replace ERROR-X-* with ERROR-X- in&nbsp;ErrorField<BR />| where count &gt; 200 AND ErrorField!="ERROR-X-"<BR />| table ErrorField<BR /><BR />In short I've got a search that counts, then does a replace/where to weed out values below a certain threshold/don't match a certain criteria then putting what remains in a table.&nbsp; It's the results from this table I want to use in the next search and count the total events for each item in that table, but have so far failed to be able to do this.<BR /><BR />Is this possible to do, and is there a right way to do this, either continuing with the method above or using a subsearch?&nbsp; Alternately is it possible to remove duplicates in the original field extraction so this isn't necessary?&nbsp; Although that option may not be possible as the field extraction isn't handled by ourselves and I can't say too much about it.<BR /><BR />Thank you!</P> Thu, 16 Jul 2020 09:13:23 GMT djohnson99 2020-07-16T09:13:23Z https://community.splunk.com/t5/Splunk-Search/Count-of-events-by-field-where-field-has-multiple-instances-of/m-p/509481#M142383 <P>Hi there&nbsp;<BR /><BR />We presently have a setup where error codes are extracted and put into their own field.&nbsp; The way it's been setup is that we extract all instances where it matches a certain regex pattern (e.g. "ERROR-" -&gt; ERROR-1234, ERROR-5869 etc) meaning as the error code is repeated in the event we get multiple instances of the same item in the field (e.g. "ErrorField" = ERROR-1234, ERROR-1234, ERROR-5869).</P><P><SPAN>Doing 'stats count by ErrorField' seems to return all items, even the ones that are repeated as we'd get ERROR-1234 = 700 on the stats count, but a simple search where ErrorField=ERROR-1234 returns say 300 events only.</SPAN></P><P>I've tried to come up with a way to filter out the duplicates in the search but have so far come up short.&nbsp; My two possibles are creating a table of field instances, and then using that to launch a second search, or performing a sub search to capture the unique fields that are then used to count the events by field.&nbsp; What I have so far is as follows:<BR /><BR />index=index ErrorField="*"<BR />| stats count by ErrorField<BR />| replace ERROR-X-* with ERROR-X- in&nbsp;ErrorField<BR />| where count &gt; 200 AND ErrorField!="ERROR-X-"<BR />| table ErrorField<BR /><BR />In short I've got a search that counts, then does a replace/where to weed out values below a certain threshold/don't match a certain criteria then putting what remains in a table.&nbsp; It's the results from this table I want to use in the next search and count the total events for each item in that table, but have so far failed to be able to do this.<BR /><BR />Is this possible to do, and is there a right way to do this, either continuing with the method above or using a subsearch?&nbsp; Alternately is it possible to remove duplicates in the original field extraction so this isn't necessary?&nbsp; Although that option may not be possible as the field extraction isn't handled by ourselves and I can't say too much about it.<BR /><BR />Thank you!</P> Thu, 16 Jul 2020 09:13:23 GMT https://community.splunk.com/t5/Splunk-Search/Count-of-events-by-field-where-field-has-multiple-instances-of/m-p/509481#M142383 djohnson99 2020-07-16T09:13:23Z https://community.splunk.com/t5/Splunk-Search/Count-of-events-by-field-where-field-has-multiple-instances-of/m-p/511291#M143284 <P>Are you sure that these are duplicates</P><P>If your ErrorField is a multivalue field then doing the stats count by will count by each of the values of the MV field</P><P>So, it's simple to remove duplicates with&nbsp;</P><LI-CODE lang="markup">| eval ErrorField=mvdedup(ErrorField)</LI-CODE><P>&nbsp;If the ErrorField is not multivalue (I am not sure how you would get your results if it is a simple string with comma separated values) then you could do</P><LI-CODE lang="markup">| eval ErrorField=mvdedup(split(ErrorField,","))</LI-CODE><P>Hope this helps</P><P>&nbsp;</P> Tue, 28 Jul 2020 10:19:35 GMT https://community.splunk.com/t5/Splunk-Search/Count-of-events-by-field-where-field-has-multiple-instances-of/m-p/511291#M143284 bowesmana 2020-07-28T10:19:35Z https://community.splunk.com/t5/Splunk-Search/Count-of-events-by-field-where-field-has-multiple-instances-of/m-p/511948#M143557 <P>That is tremendously simple and I can't believe that was it needed.&nbsp; Thank you for this!&nbsp;&nbsp;</P><P>The final query is now:<BR /><BR />index=index ErrorField="*"<BR />| eval ErrorField=mvdedup(ErrorField)<BR />| stats count by ErrorField<BR />| replace ERROR-X-* with ERROR-X- in ErrorField<BR />| where count &gt; 200 AND ErrorField!="ERROR-X-"</P> Fri, 31 Jul 2020 16:07:14 GMT https://community.splunk.com/t5/Splunk-Search/Count-of-events-by-field-where-field-has-multiple-instances-of/m-p/511948#M143557 djohnson99 2020-07-31T16:07:14Z