Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlate multivalues and count each relation to other values

Lithyum
Engager
‎07-17-2023 03:53 AM

Hi.

I need help in understanding how this can be done:

The application's log have a multivalue like this:

<somedata> [field1=A,B,C] <someotherdata>
<somedata> [field1=A,C] <someotherdata>
<somedata> [field1=E,F] <someotherdata>

And I need to find correlations between these values.

I'm looking to have something like:

field1mv  inConjunctionWith  count
      A              <all>      2
      A                  C      2
      A                  B      1
      B              <all>      1
      B                  A      1
      C              <all>      2
      C                  A      2
      C                  B      1
      E              <all>      1
      E                  F      1
      F              <all>      1
      F                  E      1

 

This way it'll be possible to identify that A+C, and E+F, have the same occurrences and probably are always together; also it'll show which values are the most common.

 

I feel I should be able to pull this off with mvmap but can't make my brain produce the actual process to it.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-17-2023 04:42 AM 
| eval inConjunctionWith=field1
| mvexpand inConjunctionWith
| mvexpand field1
| stats count by field1 inConjunctionWith
| eval inConjunctionWith=if(inConjunctionWith=field1,"<all>",inConjunctionWith)
| sort 0 field1 -count inConjunctionWith

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-17-2023 04:42 AM 
| eval inConjunctionWith=field1
| mvexpand inConjunctionWith
| mvexpand field1
| stats count by field1 inConjunctionWith
| eval inConjunctionWith=if(inConjunctionWith=field1,"<all>",inConjunctionWith)
| sort 0 field1 -count inConjunctionWith
Reply
Solved! Jump to solution

Lithyum
Engager
‎07-17-2023 05:52 AM

Thanks ITWhisperer.

The mvexpand was the kicker! 😀

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...