topic Re: I'm trying to count the number of times a particular mvfield value occurs. in Splunk Search

I'm trying to count the number of times a particular mvfield value occurs.

snandaku — Thu, 14 May 2015 20:48:43 GMT

Event data set is as follows:
{
"actions":["CREATE","DELETE", "MODIFY"],
"topic":"image",
"event_time":"2015-05-14T00:39:52Z",
}

I have tried the following:
source_type=<source> | mvexpand actions | stats count(eval(actions=="CREATE")) as "Number of File Creations"
but it doesn't work. What am I doing wrong? Any help would be much appreciated!

Re: I'm trying to count the number of times a particular mvfield value occurs.

woodcock — Thu, 14 May 2015 21:39:02 GMT

Try this:

source_type=source | eval lenmatch=length("CREATE") | eval len=length(actions) | eval copy=actions| rex field=copy mode=sed "s/CREATE//g" | eval lencopy=len(copy) | eval numValues= (len - lencopy) / lenmatch

Re: I'm trying to count the number of times a particular mvfield value occurs.

martin_mueller — Thu, 14 May 2015 21:41:55 GMT

If your actions field is correctly extracted as an mv field then you can just search on it:

sourcetype=foo actions=CREATE | stats count as "Number of File Creations"

Re: I'm trying to count the number of times a particular mvfield value occurs.

woodcock — Thu, 14 May 2015 21:43:54 GMT

I suppose it could be condensed to this:

source_type=source | eval len=length(actions) | eval copy=actions| rex field=copy mode=sed "s/CREATE//g" | eval numValues= (len - len(copy)) / 6

Re: I'm trying to count the number of times a particular mvfield value occurs.

martin_mueller — Thu, 14 May 2015 21:46:25 GMT

If actions is a multivalue field as specified in the question then treating it as a huge string is not worth bonus karma points 😛

Re: I'm trying to count the number of times a particular mvfield value occurs.

snandaku — Fri, 15 May 2015 08:44:33 GMT

Thanks Martin. Could you please explain what you mean by "if your actions field is correctly extracted as an mv field"? What's the correct way to extract an mv field?

While the above expression didn't work for me, I used something similar and successfully got the count of all events containing a CREATE action. This is what worked:

sourcetype=foo CREATE | stats count as "Number of File Creations"

For some reason it didn't like the actions=CREATE. Any idea why?

Re: I'm trying to count the number of times a particular mvfield value occurs.

snandaku — Fri, 15 May 2015 08:45:20 GMT

Thanks for your reply woodcock! I tried this out but it didn't work for me. Perhaps what's missing is the stats count portion?

Re: I'm trying to count the number of times a particular mvfield value occurs.

martin_mueller — Fri, 15 May 2015 09:22:27 GMT

Searching for the term CREATE will work as long as no other fields contain that term.

What happens when you run this:

sourcetype=foo | table _time action

Do you get a column action? Does each row contain multiple values underneath each other or one long string?

Re: I'm trying to count the number of times a particular mvfield value occurs.

woodcock — Fri, 15 May 2015 13:41:20 GMT

He means this:

sourcetype=foo | table _time actions

Re: I'm trying to count the number of times a particular mvfield value occurs.

snandaku — Sat, 16 May 2015 19:54:41 GMT

When I try sourcetype=foo | table _time actions

I get a column _time populated with timestamps and an empty column actions (just blank).

Re: I'm trying to count the number of times a particular mvfield value occurs.

martin_mueller — Sat, 16 May 2015 20:12:27 GMT

Make sure you're actually extracting fields from those JSON events.

Re: I'm trying to count the number of times a particular mvfield value occurs.

snandaku — Sat, 16 May 2015 22:21:32 GMT

That was exactly the problem, thank you so much Martin! I used the interactive field extractor to extract the actions field, and it works now.