topic Re: counting using group by multivalue fields that might contain empty or inconsistent fields? in Splunk Search https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269171#M176336 <P>It gives out random results since it is multi-value field. </P> Mon, 24 Oct 2016 15:12:12 GMT moaf13 2016-10-24T15:12:12Z counting using group by multivalue fields that might contain empty or inconsistent fields? https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269169#M176334 <P>So i have scenario where i have to group by a table (Make, model, horsepower year) like the one below, </P> <PRE><CODE>Make model(mvFields) horspower(mvFields) year(mvFields) comment Toyota camry 175 2013 (empty field) corolla 120 2013 (empty field) camry (empty field) 2013 (empty field) separator Honda accord 180 2013 (empty field) civic 115 (empty field) broken tail light accord 180 2013 (empty field) </CODE></PRE> <P>Now i have used <CODE>eval comb=mvzip(model,horsepower,",")| eval comb=mvzip(comb,comment)</CODE> so whenever I try to combine empty fields, the field <CODE>comb</CODE> returns null or empty. My goal here is to have a count of unique group by of all the fields combined</P> <P>for example</P> <PRE><CODE>Toyota camry 175 2013 (empty field) count=1 Toyota camry (empty field) 2013 (empty field) count=1 Honda accord 180 2013 (empty field) count=2 </CODE></PRE> <P>if there are other ways of doing this, please share. thanks</P> Sun, 23 Oct 2016 15:20:03 GMT https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269169#M176334 moaf13 2016-10-23T15:20:03Z Re: counting using group by multivalue fields that might contain empty or inconsistent fields? https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269170#M176335 <P>Is there a reason <CODE>stats count by Year Make Mode, HP</CODE> will not work?</P> Mon, 24 Oct 2016 14:38:59 GMT https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269170#M176335 sundareshr 2016-10-24T14:38:59Z Re: counting using group by multivalue fields that might contain empty or inconsistent fields? https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269171#M176336 <P>It gives out random results since it is multi-value field. </P> Mon, 24 Oct 2016 15:12:12 GMT https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269171#M176336 moaf13 2016-10-24T15:12:12Z Re: counting using group by multivalue fields that might contain empty or inconsistent fields? https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269172#M176337 <P>So you raw data has mv fields? What format is the raw data in? Can you use <CODE>SEDCMD</CODE> to replace blank values with "null value"?</P> Mon, 24 Oct 2016 16:56:31 GMT https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269172#M176337 sundareshr 2016-10-24T16:56:31Z Re: counting using group by multivalue fields that might contain empty or inconsistent fields? https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269173#M176338 <P>Yes that is helpful, Thank you!</P> Fri, 28 Oct 2016 03:08:32 GMT https://community.splunk.com/t5/Splunk-Search/counting-using-group-by-multivalue-fields-that-might-contain/m-p/269173#M176338 moaf13 2016-10-28T03:08:32Z