Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Counting Occurrences Based Off Multiple Fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Counting Occurrences Based Off Multiple Fields
Hi All,
I'm currently trying to test my field structure for dedup, but aren't sure of what best practices are for doing so/how to code them all.
As of now, since I'm trying to delete a duplication error in my log system, I'm trying to count the amount of response where three fields are equal across the logs (not within the logs). If the count is above 2, it means that with those 3 fields of some set values I must be counting not only the original and the copy, but also some other log.
Do you know how I could potentially code this efficiently? Will I have to merge the 3 fields into one and then compare them with a count, or can I keep them separate?
Also, do any of you have any other ideas for how I could check dedup? I'm open to any and all suggestions.
Thanks so much for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
yoursearchhere-across-all-sources
| eval combinedField = null()
| eval combinedField = coalesce(possibleFieldName1,possibleFieldName2,possibleFieldName3)
| stats count(combinedField) by source
| stats count values(source)
This will give you what you want for one field, I think. First, it creates a single field called combinedField, based on all the possible names that the field could have across the sources (possibleFieldName1, possibleFieldName2, etc.)
Then it counts the number of times that the field appears across the sources, and finally reduces that to the number of sources where the field appears. It displays the count of sources along with a list of the source names.
This works for one field. However, I can't see how you would do this for multiple fields simultaneously, especially if the field names can vary across sources. But perhaps I did not clearly understand the question...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Iguinn,
I actually think this may work alone.
| stats count by a, b, c
Also, if I wanted to keep other values, I think I'd do it this way:
| stats values(d),count by a,b,c
Will this work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Iguinn,
Thanks for the help, I do need to compare 3 fields at once. I think the best way would be to do a count by the values in a mvfield I can create. I'm a bit confused about your code above because I thought coalesce just takes a number of fields and returns the first one that is not null, not necessarily combining them?
Would my code below count all logs that match fields a, b, and c? Also, do you know a better way of making the combinedfield?
| eval combinedfield = a.b.c
| stats count(combinedfield)
Thanks again for the help.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
