Solved: Help with multivalue field count

vrmandadi · ‎01-03-2018

Hello,

I have a multivalue field with two values.

segment_status:

SUCCEEDED-1234333

FAILED-34555

I am trying to get the total of segment status and individual count of Succeeded and FAILED

for the total count I have done the below query

eventtype=abc ... segment_status=*
| eval abc=mvcount(segment_status) |stats sum(abc) as "Total"--this gives me the correct total of both succeded and failed. but I am not able to get the individual count of succesded and failed.

this is the query i tried
eventtype=abc ... segment_status=SUCCEEDED
| eval success=mvcount(segment_status) |stats sum(abc) as "Total" -- this is again giving me the total count but not for success.

Thanks in advance

micahkemp · ‎01-03-2018

Try this:

| eval succeeded=mvfilter(match(segment_status, "SUCCEEDED"))
| eval failed=mvfilter(match(segment_status, "FAILED"))
| stats count(succeeded) AS succeeded_count, count(failed) AS failed_count

View solution in original post

kamlesh_vaghela · ‎01-03-2018

Hi @vrmandadi ,

Can you please try this one ?

eventtype=abc ... segment_status=*
| stats sum(eval(like(segment_status,"%FAILED%"))) as FAILED_COUNT sum(eval(like(segment_status,"%SUCCEEDED%"))) as SUCCEEDED_COUNT

My Sample Search:

| makeresults 
| eval segment_status="SUCCEEDED-1234333,FAILED-34555" 
| makemv delim="," segment_status 
| append 
    [| makeresults 
    | eval segment_status="SUCCEEDED-1234333,FAILED-34555" 
    | makemv delim="," segment_status] 
| append 
    [| makeresults 
    | eval segment_status="SUCCEEDED-1234333" 
    | makemv delim="," segment_status] 
| append 
    [| makeresults 
    | eval segment_status="FAILED-34555" 
    | makemv delim="," segment_status] 
| append 
    [| makeresults 
    | eval segment_status="FAILED-34555" 
    | makemv delim="," segment_status] 
| stats sum(eval(like(segment_status,"%FAILED%"))) as FAILED_COUNT sum(eval(like(segment_status,"%SUCCEEDED%"))) as SUCCEEDED_COUNT

Thanks
Kamlesh

vrmandadi · ‎01-03-2018

Hey kamlesh,

I tried your search but the results are not correct

somesoni2 · ‎01-03-2018

Give this a try

eventtype=abc ... segment_status=*
| eval SUCCEEDED=if(isnotnull(mvfind(match(segment_status,"SUCCEEDED"))),1,0)
| eval FAILED=if(isnotnull(mvfind(match(segment_status,"FAILED"))),1,0)
| stats sum(FAILED) as FAILED sum(SUCCEEDED) as SUCCEEDED count as Total

vrmandadi · ‎01-03-2018

It shows error

Error in 'eval' command: The expression is malformed. Expected ).

micahkemp · ‎01-03-2018

Oops, edited to correct that. 🙂

micahkemp · ‎01-03-2018

Try this:

| eval succeeded=mvfilter(match(segment_status, "SUCCEEDED"))
| eval failed=mvfilter(match(segment_status, "FAILED"))
| stats count(succeeded) AS succeeded_count, count(failed) AS failed_count

nick405060 · ‎02-15-2019

Ty! I did this for counting internal and external recipient_domains, where recipient_domain is an mv field.

eval count_internal=mvcount(mvfilter(match(recipient_domain, "abc.com")))
and
eval count_external=mvcount(mvfilter(!match(recipient_domain, "abc.com")))

vrmandadi · ‎01-03-2018

it says Error in 'eval' command: The expression is malformed. Expected ).

vrmandadi · ‎01-03-2018

I just added a bracket and it worked

| eval succeeded=mvfilter(match(segment_status, "SUCCEEDED")) | eval failed=mvfilter(match(segment_status, "FAILED")) | stats count(succeeded) AS succeeded_count, count(failed) AS failed_count

Thnks

Help with multivalue field count

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation