Solved: How to count after rex multivalue?

kp3343 · ‎05-18-2023

Hi,

I am doing rex on a field that looks like this (showing multiple events below)

a#1|b#30|c#6|d#9

b#5|d#7|e#5|f#4

a#6|c#4|e#9

My rex is

rex field=raw max_match=0 "((?<service>[^#]*)#(?<totalRows>[^\|]*)\|?)

Resulting into

service	totalRows
a b c d	1 30 6 9
b d e f	5 7 5 4
a c e	6 4 9

How can I create a sum of all totalRows for each service ? Basically looking for something that will output like below

service	totalRows
a	7
b	35
c	10
d	16
e	14
f	4

ITWhisperer · ‎05-18-2023

Try something like this

| eval row=mvrange(0,mvcount(service))
| mvexpand row
| eval service=mvindex(service, row)
| eval totalRows=mvindex(totalRows, row)
| stats sum(totalRows) as totalRows by service

View solution in original post

ITWhisperer · ‎05-18-2023

Try something like this

| eval row=mvrange(0,mvcount(service))
| mvexpand row
| eval service=mvindex(service, row)
| eval totalRows=mvindex(totalRows, row)
| stats sum(totalRows) as totalRows by service

How to count after rex multivalue?

stats

table

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Join the Conversation