Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with the logic to make this count my fields correctly

JRamirezEnosys
Explorer
‎08-23-2017 06:52 PM

Hi, I have the following field called OS with 6 different values and count for each value:

Windows = 5
Mac = 4
Linux = 5
Mac, Windows = 10
Mac, Windows, Linux = 12
Mac, Linux = 11

The problem stand on that the real total of Windows values would be Windows,Windows+Mac,Windows,Linux (5+10+12)

So I would like to separate Mac,Windows into Windows and Mac values and add them to the Windows and Mac value.

At the end I would like to have something like:

Windows=27
Mac=26
Linux=16

My idea is to rename them twice but it doesn't really work out for me. Any ideas or solutions are welcome.

Cheers

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-23-2017 08:58 PM

Give this a try

If you have field OS only showing the OS names and not the count.

your current search giving field OS and count
| makemv OS delim=","  | mvexpand OS | stats sum(count) as count by OS

If Windows = 5 is the actual full value for field OS, try this (extracting OS names and count)

your current search giving field OS with values like Windows = 5
| rex field=OS "(?<OS1>\S+)\s*\=(?<count>\d+)"
 | makemv OS1 delim=","  | mvexpand OS1 | stats sum(count) as count by OS1 | rename OS1 as OS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-23-2017 08:58 PM

Give this a try

If you have field OS only showing the OS names and not the count.

your current search giving field OS and count
| makemv OS delim=","  | mvexpand OS | stats sum(count) as count by OS

If Windows = 5 is the actual full value for field OS, try this (extracting OS names and count)

your current search giving field OS with values like Windows = 5
| rex field=OS "(?<OS1>\S+)\s*\=(?<count>\d+)"
 | makemv OS1 delim=","  | mvexpand OS1 | stats sum(count) as count by OS1 | rename OS1 as OS
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...