Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I count unique values in a multi value field?

aarontmartin165
Explorer
‎04-17-2018 06:38 AM

I have a field cat which may display multiple fields of varying count FFIEC, GLBA, PPI or just PPI so there is no set count to the multivalue fields. I am attempting to count the number of times each unique value appears and graph it over time. My query is as follows:

my query | eval Policies=split(cat,";") | timechart span=1h count by Policies

My problem is that when the line chart is displayed there can be multiple lines for a Policy value. For example if the multivalue field returns 3 instances as follows

FFIEC; GLBA; PPI
PPI
PPI
FFIEC; GLBA; PPI

My line values would display PPI = 2 FFIEC = 2 GLBA= 2 PPI = 2

What I am hoping to achieve is PPI=4 FFIEC=2 GLBA=2

Can anyone identify the part of my query I have wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

damien_chillet
Builder
‎04-17-2018 06:46 AM

You should try adding a space in your split separator:

my query | eval Policies=split(cat,"; ") | timechart span=1h count by Policies

View solution in original post

Reply
Solved! Jump to solution

evsmt
Explorer
‎04-17-2018 07:07 AM

Use mvexpand to create an event for each multi value value. You'll be able create a timechart with a line for each distict policy:

my query 
| eval Policies=split(cat,";") 
| mvexpand Policies
| timechart span=1h count by Policies
0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎04-17-2018 06:47 AM

Can you try:

my query | eval To_count=mvcount(split(cat,"; "))-1  | timechart span=1h values(To_count) by Policies
0 Karma
Reply
Solved! Jump to solution

aarontmartin165
Explorer
‎04-17-2018 07:35 AM

Why would I use the -1?

0 Karma
Reply
Solved! Jump to solution
Solution

damien_chillet
Builder
‎04-17-2018 06:46 AM

You should try adding a space in your split separator:

my query | eval Policies=split(cat,"; ") | timechart span=1h count by Policies
Reply
Solved! Jump to solution

aarontmartin165
Explorer
‎04-17-2018 07:37 AM

That appears to have worked but why?
If
cat= FFIEC; PPI
and
cat= PPI

There is no ; or " " on the second value so why would the "; " be any different than ";"?

0 Karma
Reply
Solved! Jump to solution

damien_chillet
Builder
‎04-17-2018 07:45 AM

split function will create a value for the multivalve field overtime it meets the splitter.
So, in first case "cat=FFIEC; PPI" it will return "FFIEC" and " PPI" if you use ";"
In second case it will just return "PPI" because nothing to split.

0 Karma
Reply
Solved! Jump to solution

aarontmartin165
Explorer
‎04-17-2018 08:13 AM

Got it, I was thinking that leading spaces would be dropped but as I read your explanation I realize I had no reason I should have expected that.

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎04-17-2018 06:44 AM

what happens if you just mvexpand on policies before the timechart?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...