topic Re: stats count conditional for multi field in Splunk Search

stats count conditional for multi field

corehan — Mon, 27 Sep 2021 07:18:54 GMT

Hello dears,

I want to list my search if "B" total count higher than >3 than list by "A"

A and B fields could have variable values, doesn't matter.

search | stats count(B) by A,B |sort -A |where B>3

Re: stats count conditional for multi field

corehan — Mon, 27 Sep 2021 07:28:37 GMT

now i'm trying something like this;

search | stats count(B) by A,B |sort -A |where sum(count(B))>3

Re: stats count conditional for multi field

PickleRick — Mon, 27 Sep 2021 08:11:30 GMT

Depends on what you mean by "multi-field". Do you want to just count separate occurences of B?

In this case it's just

search | stats count(B) by A | where count(B)>3 | sort - A

If you want to count distinct values of B, it's not count but dc (distinctcount).

search | stats dc(B) by A | where dc(B)>3 | sort - A

But if you have a multi-value field B and want to count items within the field, you have to approach it differently

search | where mvcount(B)>3 | sort - A

Re: stats count conditional for multi field

corehan — Mon, 27 Sep 2021 08:59:44 GMT

Yes, i want to list , multi-value field B and want to count items within the field. Should i use stats command before ?

I try this but not works for me;

search | where mvcount(B)>3 | sort - A

Re: stats count conditional for multi field

PickleRick — Mon, 27 Sep 2021 09:16:58 GMT

No. Stats command is for calculating stats pertaining to sets of events. as far as I can understand, you want to have a count of multivalued field entries per each event.

Try

search | eval mvc=mvcount(B)

And see if the mvc field is properly calculated.

Also, it usually helps if you provide us with a sample of your data so we know that we all have common understanding of what you want to achieve.

Re: stats count conditional for multi field

corehan — Tue, 28 Sep 2021 07:39:03 GMT

Thank you for answers. So, more details for this;

I have lot of network devices and subscribers. So, i want to analyse subscriber compliants. When the total subscriber compliants count reach to 10 number by each device, than list.

my field details;

OLT=Network devices

H = Subscriber IDs

REQUESTNAME = Subscriber compliant types

index=decoder M=NetworkMapDataInit C=GPONChecker OLT="*" | eval Date=date_month." ".date_mday | dedup H,U,S | join H,U,S type=inner [search index=decoder M=WF_CrmRequestAndNetflowTask C=OVERLAY P=checkResult NetflowResultMsg1=NetflowTaskCreated | dedup H,U,S ] | stats count by Date,OLT,H,REQUESTNAME

Re: stats count conditional for multi field

PickleRick — Tue, 28 Sep 2021 07:57:56 GMT

Ahhh, so you want to do stats on simple events. You don't have multivalue fields. Multivalue field holds multiple values within a single event. It's not your case as far as I can see.

Your stats command is a bit too detailed. You just want to group by device, so that's the only field you should leave in the "by" clause. Then you can filter your results.

index=decoder M=NetworkMapDataInit C=GPONChecker OLT="*"
| eval Date=date_month." ".date_mday
| dedup H,U,S
| join H,U,S type=inner
  [search index=decoder M=WF_CrmRequestAndNetflowTask C=OVERLAY P=checkResult NetflowResultMsg1=NetflowTaskCreated
   | dedup H,U,S ]
| stats count as complaint_number list(Date) list(H) list(REQUESTNAME) by OLT
| where complaint_number >= 10

You could also try to lose that join in favour of some stats aggregation but it's another story.

Re: stats count conditional for multi field

corehan — Tue, 28 Sep 2021 08:10:05 GMT

you are amazing, works fine. Thank you very much

I love splunk community..