Hi, I have a weird requirement where I have to count the distinct values of a multi value field. So I have a xml where a particular node can appear one time or multiple times and there are many nodes like this.
How do i count the distinct number of nodes using a request ID? Basically I am looking something like this -
| request ID | nodes | Count |
| 12345 | networkpremise networkdetails mysubscription | 2 3 2 |
| 3456778 | networkpremise networkdetails mysubscription | 6 2 4 |
| And so on.. | | |
Not exactly like above but if there are some other interpretations which can give a better view please let me know. I've looked into some of the posts like this but the solution has not worked for me
https://community.splunk.com/t5/Splunk-Search/Can-I-get-a-count-of-distinct-values-in-multivalue-fie...
Let me know if someone can help on this. This is my query which I was trying to do from the above referebnc
index=test_prod MyServiceGateway "SoapMessage Incoming"
| rex field=_raw "\<(?<nodes>[^\>]+)\>\s+?\<action\>" max_match=0
| rex field=_raw "\>(?<requestID>[^\<]+)\<\/ns:requestID>" max_match=0
| table requestID nodes
| untable requestID field value
| makemv delim="," value
| mvexpand value
| stats count by requestID field value
| eval pair=value." (".count.")"
| stats list(pair) as values by requestID field
