Solved: how to combine results after delimiting them ?

kumudjain · ‎01-16-2019

My logs contain application field which either have single value or multiple values.
I am using makemv command to delimit based on comma to separate applications when they are in multiple values as an array
but if an application for example [AML_PK2] is single in one log and is with many other applications in another log such as [AML_PK1, AML_PK2, AML_PK3] after counting for both results are like
AML_PK1 = 1
AML_PK2=1
AML_PK2 = 1
AML_PK3=1
How to combine results for aml_pk2 to show 2 counts?
My search query = index="app_web" |eval field1 = split(applications,"[") | eval field2 = split(field1,"]") | makemv delim="," field2 |search field2!=application/|search field2!=text/ |
top field2 by user countfield="No of Searches" showperc=False|rename field2 as "APPS"

bangalorep · ‎01-16-2019

View solution in original post

vnravikumar · ‎01-16-2019

Hi @kumudjain

Please try like

yoursearchhere |
 eval output = field1 + ";" + field2 |
 makemv delim=";" output |
 mvexpand output | stats count by output

kumudjain · ‎01-17-2019

Thanks a lot for your valuable feedback 🙂

bangalorep · ‎01-16-2019

kumudjain · ‎01-17-2019

Thanks it was exactly what i was looking for! 🙂

bangalorep · ‎01-17-2019

Oh great! Please accept the answer if it helped you 🙂

how to combine results after delimiting them ?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes