Re: Count of values in a multi-value field

hpendela · ‎01-18-2019

Log lines:
k1=doesn't matter, k2=doesn't matter, k3=[v3, v4]
k1=doesn't matter, k2=doesn't matter, k3=[v5, v4, v6]
k1=doesn't matter, k2=doesn't matter, k3=[v5, v6, v9, v4]

Expected output:

v4 => 3
v5 => 2
v6 => 2
v3 => 1
v9 => 1

vnravikumar · ‎01-18-2019

Hi @hpendela

Please try

| makeresults 
| eval log="k1=doesn't matter, k2=doesn't matter, k3=[v3, v4];
k1=doesn't matter, k2=doesn't matter, k3=[v5, v4, v6];
k1=doesn't matter, k2=doesn't matter, k3=[v5, v6, v9, v4]" 
| makemv delim=";" log 
| mvexpand log 
| rex field=log "k3=\[(?P<k3>(.*))]" 
| makemv delim="," k3 
| eval k3= ltrim(k3) 
| stats count by k3

renjith_nair · ‎01-18-2019

@hpendela,

Try

"your base search" | rex field=k3 max_match=0 (?<vals>\w\d+)|stats count by vals

If you have more than one character in v , change the grouping part as (?<vals>\w+\d+)

---
What goes around comes around. If it helps, hit it with Karma 🙂

Count of values in a multi-value field

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Count of values in a multi-value field

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR