Splunk Search
Highlighted

Count all values in mv field, based on other value from mv field

Explorer

Hello,
I need to:

Count all values from mv field: blkio_stats.io_serviced_recursive{}.value where blkio_stats.io_serviced_recursive{}.op = write

Sample data:
https://pastebin.com/7fKSwztE

Thanks for help

Tags (2)
0 Karma
Highlighted

Re: Count all values in mv field, based on other value from mv field

Legend

@Rialf1959, please try the following using mvzip() function which should work as far as within multi-valued fields op and value there is one to one relationship. In other words mvcount()of op field should match with value field.

<YourBaseSearch>
| fields blkio_stats.io_serviced_recursive{}.op blkio_stats.io_serviced_recursive{}.value
| eval data=mvzip('blkio_stats.io_serviced_recursive{}.op','blkio_stats.io_serviced_recursive{}.value',";")
| table data
| mvexpand data
| search data="Write*"
| eval data=split(data,";")
| eval op=mvindex(data,0)
| eval value=mvindex(data,1)
| table op value

Refer to Splunk documentation for various Multi-value evaluation functions: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions




| eval message="Happy Splunking!!!"


0 Karma