topic Re: Combine stats across multiline events in Splunk Search https://community.splunk.com/t5/Splunk-Search/Combine-stats-across-multiline-events/m-p/174446#M50059 <P>Thank you, Martin! mvexpand is magical. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 05 Mar 2014 18:57:41 GMT hulahoop 2014-03-05T18:57:41Z Combine stats across multiline events https://community.splunk.com/t5/Splunk-Search/Combine-stats-across-multiline-events/m-p/174444#M50057 <P>How can I get stats by author if I have multiline events like the below?</P> <PRE><CODE>Project: /a/b/c loc=100 author=aaa@foo.com loc=100 author=bbb@foo.com loc=100 author=ccc@foo.com Project: /a/b/c loc=200 author=aaa@foo.com loc=200 author=ccc@foo.com loc=200 author=ddd@foo.com </CODE></PRE> <P>Given the 2 events above, am looking for a results table like this:</P> <PRE><CODE>Project Author Total Lines of Code (loc) ------------------------------------------------- /a/b/c aaa@foo.com 300 bbb@foo.com 100 ccc@foo.com 300 ddd@foo.com 200 </CODE></PRE> Wed, 05 Mar 2014 08:18:15 GMT https://community.splunk.com/t5/Splunk-Search/Combine-stats-across-multiline-events/m-p/174444#M50057 hulahoop 2014-03-05T08:18:15Z Re: Combine stats across multiline events https://community.splunk.com/t5/Splunk-Search/Combine-stats-across-multiline-events/m-p/174445#M50058 <P>You could do something like this:</P> <PRE><CODE>... | rex "Project:\s+(?&lt;project&gt;\S+)" | rex max_match=0 "(?&lt;loc_author&gt;loc=\d+\s+author=\S+)" | mvexpand loc_author | rex field=loc_author "loc=(?&lt;loc&gt;\d+)\s+author=(?&lt;author&gt;\S+)" | stats sum(loc) by project author </CODE></PRE> <P>Make sure that doesn't clash with a potentially auto-extracted first set of loc/author fields.</P> Wed, 05 Mar 2014 08:33:42 GMT https://community.splunk.com/t5/Splunk-Search/Combine-stats-across-multiline-events/m-p/174445#M50058 martin_mueller 2014-03-05T08:33:42Z Re: Combine stats across multiline events https://community.splunk.com/t5/Splunk-Search/Combine-stats-across-multiline-events/m-p/174446#M50059 <P>Thank you, Martin! mvexpand is magical. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 05 Mar 2014 18:57:41 GMT https://community.splunk.com/t5/Splunk-Search/Combine-stats-across-multiline-events/m-p/174446#M50059 hulahoop 2014-03-05T18:57:41Z