Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Count values in multivalue field encoded as a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Count values in multivalue field encoded as a string
I have the following entry in several of my events:
puppy_name = "Scout Windixie Spot"
If it's not obvious already, this field, puppy_name, has 3 different values. It really should be:
puppy_names = ["Scout", "Windixie", "Spot"]
That said, I have a couple of questions:
Note if you can help me with question 2, then don't bother with 1
1) What spl query can I construct to count the number of unique strings in puppy_name and put the result in a new field called puppy_name_count?
I have already tried:
index="puppies" | eval puppy_name_count=mvcount(split(puppy_name, " "))
Assuming split() returns an array (although I can't say this for sure because I couldn't find any documentation on split()), I need something like:
index="puppies" | eval puppy_name_count=array_length(split(puppy_name, " "))
Does anyone know how I can achieve this?
2) Is there an spl query or splunk configuration I can write to automatically split in the different puppy names in puppy_name into something like: puppys_name=["Scout", "Windixie", "Spot"]?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1)
| makeresults
| eval puppy_name = "Scout Windixie Spot Spot"
| eval name_count = mvcount(mvdedup(split(puppy_name," ")))
2) it looks like a list in python, I'm not sure splunk has a function that converts a list string directly into a multi-valued field, I recommend parsing it first with a regular expression, like this:
| makeresults
| eval puppy_name ="['Scout', 'Windixie', 'Spot','Spot']"
| rex field=puppy_name "'(?P[^']+)'" max_match=0
| eval name_count = mvcount(mvdedup(name))
Hope that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brinley
Check this
To find the number of unique strings:
| makeresults
| eval puppy_name = "Scout Windixie Spot Scout"
| makemv delim=" " puppy_name
| eval puppy_name_count =mvcount(mvdedup(puppy_name))
| table puppy_name_count
String in the required format:
| makeresults
| eval puppy_name = "Scout Windixie Spot Scout"
| makemv delim=" " puppy_name
| eval puppy_name =mvdedup(puppy_name)
| mvexpand puppy_name
| eval puppy_name = "\"".puppy_name."\""
| mvcombine puppy_name delim=","
| nomv puppy_name
| eval puppy_name = "[".puppy_name."]"
| table puppy_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This does work. So if that isn't working in your data then you have some hidden character.
| makeresults
| eval puppy_name = "Scout Windixie Spot"
| eval nameCount=mvcount(split(puppy_name," "))
Play around with field extraction to break them up similar to
| makeresults
| eval puppy_name = "Scout Windixie Spot"
| rex field=puppy_name max_match=0 "(?P<puppy_names>[^\s\r\n]+)"
| eval nameCount=mvcount(split(puppy_names," "))
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
