Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to combine results after delimiting them ?

kumudjain
New Member
‎01-16-2019 10:38 PM

My logs contain application field which either have single value or multiple values.
I am using makemv command to delimit based on comma to separate applications when they are in multiple values as an array
but if an application for example [AML_PK2] is single in one log and is with many other applications in another log such as [AML_PK1, AML_PK2, AML_PK3] after counting for both results are like
AML_PK1 = 1
AML_PK2=1
AML_PK2 = 1
AML_PK3=1
How to combine results for aml_pk2 to show 2 counts?
My search query = index="app_web" |eval field1 = split(applications,"[") | eval field2 = split(field1,"]") | makemv delim="," field2 |search field2!=application/|search field2!=text/ |
top field2 by user countfield="No of Searches" showperc=False|rename field2 as "APPS"

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bangalorep
Communicator
‎01-16-2019 11:07 PM

This is what I tried.
| makeresults | eval a = "AML_PK1, AML_PK2, AML_PK3;AML_PK2" | makemv delim=";" a | mvexpand a | makemv delim=", " a | mvexpand a | stats count by a

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎01-16-2019 11:40 PM

Hi @kumudjain

Please try like

yoursearchhere |
 eval output = field1 + ";" + field2 |
 makemv delim=";" output |
 mvexpand output | stats count by output
0 Karma
Reply
Solved! Jump to solution

kumudjain
New Member
‎01-17-2019 12:43 AM

Thanks a lot for your valuable feedback 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

bangalorep
Communicator
‎01-16-2019 11:07 PM

This is what I tried.
| makeresults | eval a = "AML_PK1, AML_PK2, AML_PK3;AML_PK2" | makemv delim=";" a | mvexpand a | makemv delim=", " a | mvexpand a | stats count by a

0 Karma
Reply
Solved! Jump to solution

kumudjain
New Member
‎01-17-2019 12:42 AM

Thanks it was exactly what i was looking for! 🙂

0 Karma
Reply
Solved! Jump to solution

bangalorep
Communicator
‎01-17-2019 01:09 AM

Oh great! Please accept the answer if it helped you 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...