Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counting multi-value fields from data

tgow
Splunk Employee
Splunk Employee
‎11-11-2011 01:55 PM

I have the following data:

10..20.10.100 - - [11Nov/2011:13:21:16 -0500] "GET /portlets/market_info.json?ID_STUFF=32497,32498,32104,891848,1244022,2474811 HTTP/1.1" 200 3281 "-" "Jakarta Commons-HttpClient/3.1"0/920549

I am creating the "ID_VALUES" field with the following search 

index=test ID_STUFF | rex max_match field=_raw "ID_STUFF\=(|\S+,)(?<ID_VALUES>.*?)(\s+|&)"

The ID_VALUES field is now a multi-value field. I want to extract each value and run additional search commands against it. I have tried the following and it is not working:

index=test ID_STUFF | rex max_match field=_raw "ID_STUFF\=(|\S+,)(?<ID_VALUES>.*?)(\s+|&)"  | mvexpand ID_VALUES | stats count by ID_VALUES

This is not giving me an individual count of each value of the multi-value field of ID_VALUES. My results look like this:

ID_VALUES                                                                     Count 
32497,32498,32104,891848,1244022,2474811                                        2

I want it to look like the following:

ID_VALUES                                                                  Count
32497                                                                         2
32498                                                                         2
32104                                                                         2
891848                                                                        2
1244022                                                                       2
2474811                                                                       2

What is the correct multi-value field search command to pull this together?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-11-2011 05:40 PM

Give this a try:

index=test ID_STUFF | rex max_match field=_raw "ID_STUFF\=(|\S+,)(?<ID_VALUES>.*?)(\s+|&)" | makemv delim="," ID_VALUES | mvexpand ID_VALUES | stats count by ID_VALUES

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

View solution in original post

Reply
Solved! Jump to solution

ajayabburi508
Path Finder
‎12-02-2016 01:09 AM

index=test ID_STUFF | rex max_match field=_raw "ID_STUFF=(|\S+,)(?.*?)(\s+|&)" | eval ID_VALUES =split(ID_VALUES ,",") | mvexpand ID_VALUES | stats count by ID_VALUES

0 Karma
Reply
Solved! Jump to solution

tgow
Splunk Employee
Splunk Employee
‎11-11-2011 07:03 PM

That was the ticket. I forgot about combining the makemv and mvexpand.

0 Karma
Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-11-2011 05:40 PM

Give this a try:

index=test ID_STUFF | rex max_match field=_raw "ID_STUFF\=(|\S+,)(?<ID_VALUES>.*?)(\s+|&)" | makemv delim="," ID_VALUES | mvexpand ID_VALUES | stats count by ID_VALUES

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎11-12-2011 09:23 AM

Actually, you don't need mvexpand at all, and your search will be more efficient without it. Also, I personally would replace | makemv delim=",",ID_VALUES with | eval ID_VALUES=split(ID_VALUES,","".

Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...