Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with the logic to make this count my fields correctly

JRamirezEnosys
Explorer
‎08-23-2017 06:52 PM

Hi, I have the following field called OS with 6 different values and count for each value:

Windows = 5
Mac = 4
Linux = 5
Mac, Windows = 10
Mac, Windows, Linux = 12
Mac, Linux = 11

The problem stand on that the real total of Windows values would be Windows,Windows+Mac,Windows,Linux (5+10+12)

So I would like to separate Mac,Windows into Windows and Mac values and add them to the Windows and Mac value.

At the end I would like to have something like:

Windows=27
Mac=26
Linux=16

My idea is to rename them twice but it doesn't really work out for me. Any ideas or solutions are welcome.

Cheers

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-23-2017 08:58 PM

Give this a try

If you have field OS only showing the OS names and not the count.

your current search giving field OS and count
| makemv OS delim=","  | mvexpand OS | stats sum(count) as count by OS

If Windows = 5 is the actual full value for field OS, try this (extracting OS names and count)

your current search giving field OS with values like Windows = 5
| rex field=OS "(?<OS1>\S+)\s*\=(?<count>\d+)"
 | makemv OS1 delim=","  | mvexpand OS1 | stats sum(count) as count by OS1 | rename OS1 as OS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-23-2017 08:58 PM

Give this a try

If you have field OS only showing the OS names and not the count.

your current search giving field OS and count
| makemv OS delim=","  | mvexpand OS | stats sum(count) as count by OS

If Windows = 5 is the actual full value for field OS, try this (extracting OS names and count)

your current search giving field OS with values like Windows = 5
| rex field=OS "(?<OS1>\S+)\s*\=(?<count>\d+)"
 | makemv OS1 delim=","  | mvexpand OS1 | stats sum(count) as count by OS1 | rename OS1 as OS
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...