Re: Extract count of each value of a field and cre...

priyangshupal · ‎10-29-2021

I have a field "skill" which takes multiple values:

I want to extract the count of each of the values of skill and store each of them in variables.

Say v1,v2,v3,v5 etc:

where their values are

v1 = 181

v2 = 144

v3 = 80

and so on.

tread_splunk · ‎10-29-2021

But if you really want to introduce the V1, V2, V3 field names you'll need...

index=_* index=_internal sourcetype=splunkd 
| rename component as skill 
| timechart span=5m count by skill limit=0 
| untable _time skill count 
| sort skill, _time 
| streamstats dc(skill) as counter 
| eval fieldnameReq="v".counter 
| timechart span=5m sum(count) by fieldnameReq limit=0

tread_splunk · ‎10-29-2021

I think this is what you mean. The hardest part is introducing the v1,v2,v3 etc field names.

If you're happy to retain the skill values, i.e. F1, F2, F3 (in your screenshot above) as the field names, then this becomes much simpler i.e....

index=_* index=_internal sourcetype=splunkd 
| rename component as skill 
| timechart span=5m count by skill limit=0

tread_splunk · ‎10-29-2021

Something like this...

index=_* index=_internal sourcetype=splunkd 
| rename component as skill 
| stats count by skill 
| streamstats count as counter 
| eval fieldnameReq="v".counter,stub="sum" 
| chart sum(count) over stub by fieldnameReq limit=0 
| fields - stub

Replace first 2 lines with your query. Working on another post that produces a timechart. 2 tics

tread_splunk · ‎10-29-2021

Neater solution, using transpose command.

index=_* index=_internal sourcetype=splunkd 
| rename component as skill 
| stats count by skill 
| streamstats count as counter 
| eval fieldnameReq="v".counter 
| fields - counter skill 
| transpose header_field=fieldnameReq

Extract count of each value of a field and create a timechart from it using stats

eval

stats

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!