Solved: Re: Count values delimited by "," in a field

habrhi · ‎02-20-2020

Hi guys,

Thanks for the help

manjunathmeti · ‎02-20-2020

Use rex to extract character 's' and count it.

| rex field=_raw max_match=0 "(?[s]+)" | eval slen=mvcount(smatch)

Sample query:

| makeresults | eval "FIELD A"="x", "FIELD B"="s,a,b,c" | append [| makeresults | eval "FIELD A"="y", "FIELD B"="s,x,x,xs"] | append [| makeresults | eval "FIELD A"="z", "FIELD B"="s,a,s,s,s"] | rex field="FIELD B" max_match=0 "(?<smatch>[s]+)" | eval count=mvcount(smatch) | table "FIELD A", "FIELD B", count

View solution in original post

habrhi · ‎02-21-2020

thanks , that was clear .
regards

Vijeta · ‎02-20-2020

@habrhi - assuming A and B are your field names

your query |eval newB=B| makemv delim="," newB| mvexpand newB| stats count(eval(LIKE(newB,"%s%"))) as c by A B

manjunathmeti · ‎02-20-2020

Use rex to extract character 's' and count it.

| rex field=_raw max_match=0 "(?[s]+)" | eval slen=mvcount(smatch)

Sample query:

| makeresults | eval "FIELD A"="x", "FIELD B"="s,a,b,c" | append [| makeresults | eval "FIELD A"="y", "FIELD B"="s,x,x,xs"] | append [| makeresults | eval "FIELD A"="z", "FIELD B"="s,a,s,s,s"] | rex field="FIELD B" max_match=0 "(?<smatch>[s]+)" | eval count=mvcount(smatch) | table "FIELD A", "FIELD B", count

Count values delimited by "," in a field

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms