- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Count values in multivalue field encoded as a stri...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Count values in multivalue field encoded as a string
I have the following entry in several of my events:
puppy_name = "Scout Windixie Spot"
If it's not obvious already, this field, puppy_name, has 3 different values. It really should be:
puppy_names = ["Scout", "Windixie", "Spot"]
That said, I have a couple of questions:
Note if you can help me with question 2, then don't bother with 1
1) What spl query can I construct to count the number of unique strings in puppy_name and put the result in a new field called puppy_name_count?
I have already tried:
index="puppies" | eval puppy_name_count=mvcount(split(puppy_name, " "))
Assuming split() returns an array (although I can't say this for sure because I couldn't find any documentation on split()), I need something like:
index="puppies" | eval puppy_name_count=array_length(split(puppy_name, " "))
Does anyone know how I can achieve this?
2) Is there an spl query or splunk configuration I can write to automatically split in the different puppy names in puppy_name into something like: puppys_name=["Scout", "Windixie", "Spot"]?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1)
| makeresults
| eval puppy_name = "Scout Windixie Spot Spot"
| eval name_count = mvcount(mvdedup(split(puppy_name," ")))
2) it looks like a list in python, I'm not sure splunk has a function that converts a list string directly into a multi-valued field, I recommend parsing it first with a regular expression, like this:
| makeresults
| eval puppy_name ="['Scout', 'Windixie', 'Spot','Spot']"
| rex field=puppy_name "'(?P[^']+)'" max_match=0
| eval name_count = mvcount(mvdedup(name))
Hope that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @brinley
Check this
To find the number of unique strings:
| makeresults
| eval puppy_name = "Scout Windixie Spot Scout"
| makemv delim=" " puppy_name
| eval puppy_name_count =mvcount(mvdedup(puppy_name))
| table puppy_name_count
String in the required format:
| makeresults
| eval puppy_name = "Scout Windixie Spot Scout"
| makemv delim=" " puppy_name
| eval puppy_name =mvdedup(puppy_name)
| mvexpand puppy_name
| eval puppy_name = "\"".puppy_name."\""
| mvcombine puppy_name delim=","
| nomv puppy_name
| eval puppy_name = "[".puppy_name."]"
| table puppy_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This does work. So if that isn't working in your data then you have some hidden character.
| makeresults
| eval puppy_name = "Scout Windixie Spot"
| eval nameCount=mvcount(split(puppy_name," "))
Play around with field extraction to break them up similar to
| makeresults
| eval puppy_name = "Scout Windixie Spot"
| rex field=puppy_name max_match=0 "(?P<puppy_names>[^\s\r\n]+)"
| eval nameCount=mvcount(split(puppy_names," "))
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
