- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to count distinct values of a multi value field
Hi, I have a weird requirement where I have to count the distinct values of a multi value field. So I have a xml where a particular node can appear one time or multiple times and there are many nodes like this.
How do i count the distinct number of nodes using a request ID? Basically I am looking something like this -
| request ID | nodes | Count |
| 12345 | networkpremise networkdetails mysubscription | 2 3 2 |
| 3456778 | networkpremise networkdetails mysubscription | 6 2 4 |
| And so on.. |
Not exactly like above but if there are some other interpretations which can give a better view please let me know. I've looked into some of the posts like this but the solution has not worked for me
Let me know if someone can help on this. This is my query which I was trying to do from the above referebnc
index=test_prod MyServiceGateway "SoapMessage Incoming"
| rex field=_raw "\<(?<nodes>[^\>]+)\>\s+?\<action\>" max_match=0
| rex field=_raw "\>(?<requestID>[^\<]+)\<\/ns:requestID>" max_match=0
| table requestID nodes
| untable requestID field value
| makemv delim="," value
| mvexpand value
| stats count by requestID field value
| eval pair=value." (".count.")"
| stats list(pair) as values by requestID field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will need to give an example of your own data so we can help translate that to your desired output but probably something like
| stats count by requestId node
| stats list(node) as nodes list(count) as count by requestIdbut that will depend somewhat on your data
