Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to count the number of values in a field by another field without stats?

brienhawker
Explorer
‎04-12-2019 03:14 PM

I have a search where I am trying to determine if a sender is a threat based on several different events that are added up at the end of my search. Before that though im trying to determine how many people that a sender has sent a message too. So far ive tried mvcount but it looks like mvcount doesnt allow a count by another value. Thanks in advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-13-2019 10:42 PM

It appears that you posted this same question twice, is this one a duplicate of this one:
https://answers.splunk.com/answers/740480/how-to-compare-characters-in-two-fields-and-return.html#an...

If so, you should delete this one, because the other answer is more specific and has an accepted answer.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-13-2019 10:43 PM

Please respond @brienhawker.

0 Karma
Reply

adonio
Ultra Champion
‎04-12-2019 06:39 PM

you can use the eventstats command, read here:
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Eventstats

try this search anywhere, i hope it explains it well:

| makeresults count=5
| eval sender = "badguy,goodguy,neutralguy"
| makemv delim="," sender
| mvexpand sender
| eval recipients = case(sender=="badguy","1;;;2;;;3;;;4;;;5",sender=="neutralguy","1;;;2;;;3",sender=="goodguy","1")
| makemv delim=";;;" recipients
| mvexpand recipients
| eval message = "random message"
| eventstats dc(recipients) as unique_recipients by sender
0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎04-12-2019 03:25 PM

Can you say more about why you don't want to use stats? Can you share an example search? Have you looked at other commands like chart or eventstats?

Reply

brienhawker
Explorer
‎04-12-2019 03:34 PM

Your eventstats recommendation worked. Thank you.

0 Karma
Reply

brienhawker
Explorer
‎04-12-2019 03:28 PM

Im not wanting to use stats because im needing to just count the number of recipients by sender mid search and from what ive tried I havent had much success from it. Im completly open if there is a way to do it.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top