Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I count unique values in a multi value field?

aarontmartin165
Explorer
‎04-17-2018 06:38 AM

I have a field cat which may display multiple fields of varying count FFIEC, GLBA, PPI or just PPI so there is no set count to the multivalue fields. I am attempting to count the number of times each unique value appears and graph it over time. My query is as follows:

my query | eval Policies=split(cat,";") | timechart span=1h count by Policies

My problem is that when the line chart is displayed there can be multiple lines for a Policy value. For example if the multivalue field returns 3 instances as follows

FFIEC; GLBA; PPI
PPI
PPI
FFIEC; GLBA; PPI

My line values would display PPI = 2 FFIEC = 2 GLBA= 2 PPI = 2

What I am hoping to achieve is PPI=4 FFIEC=2 GLBA=2

Can anyone identify the part of my query I have wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

damien_chillet
Builder
‎04-17-2018 06:46 AM

You should try adding a space in your split separator:

my query | eval Policies=split(cat,"; ") | timechart span=1h count by Policies

View solution in original post

Reply
Solved! Jump to solution

evsmt
Explorer
‎04-17-2018 07:07 AM

Use mvexpand to create an event for each multi value value. You'll be able create a timechart with a line for each distict policy:

my query 
| eval Policies=split(cat,";") 
| mvexpand Policies
| timechart span=1h count by Policies
0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-17-2018 06:47 AM

Can you try:

my query | eval To_count=mvcount(split(cat,"; "))-1  | timechart span=1h values(To_count) by Policies
0 Karma
Reply
Solved! Jump to solution

aarontmartin165
Explorer
‎04-17-2018 07:35 AM

Why would I use the -1?

0 Karma
Reply
Solved! Jump to solution
Solution

damien_chillet
Builder
‎04-17-2018 06:46 AM

You should try adding a space in your split separator:

my query | eval Policies=split(cat,"; ") | timechart span=1h count by Policies
Reply
Solved! Jump to solution

aarontmartin165
Explorer
‎04-17-2018 07:37 AM

That appears to have worked but why?
If
cat= FFIEC; PPI
and
cat= PPI

There is no ; or " " on the second value so why would the "; " be any different than ";"?

0 Karma
Reply
Solved! Jump to solution

damien_chillet
Builder
‎04-17-2018 07:45 AM

split function will create a value for the multivalve field overtime it meets the splitter.
So, in first case "cat=FFIEC; PPI" it will return "FFIEC" and " PPI" if you use ";"
In second case it will just return "PPI" because nothing to split.

0 Karma
Reply
Solved! Jump to solution

aarontmartin165
Explorer
‎04-17-2018 08:13 AM

Got it, I was thinking that leading spaces would be dropped but as I read your explanation I realize I had no reason I should have expected that.

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎04-17-2018 06:44 AM

what happens if you just mvexpand on policies before the timechart?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...