Splunk Search

How to count all events by a value combination even if the values appear in different fields?

Motivator

Hi,

let's say we have an event with

Field1=A
Field2=B

and another event with

Field1=B
Field2=A

How can I count all events grouped by such kind of value combination even if the values appear in different fields?
I could use

 count(eval(if((Field1="A" AND  Field2="B") OR (Field1="B" AND Field2="A"), source, null())))

But there is no static list of possible values for the fields so it needs to be a dynamic search.
I'm expecting some kind of multivalue transformation but can't find a solution.

Thanks in advance

0 Karma

Esteemed Legend

Like this:

... | eval ValueA="No" | eval ValuePound="No" | foreach * [ 
    eval ValuePound=if(($<<FIELD>>$="#"), "<<FIELD>>", ValuePound) 
    | eval ValueA=if(($<<FIELD>>$="A"), "<<FIELD>>", ValueA) ] 
| stats count(eval(ValueA!="No")) AS NumValueA count(eval(ValuePound!="No")) AS NumValuePound
0 Karma

Revered Legend

Give this a try

your base search | eval groupfield=mvsort(split(Field1."#".Field2,"#")) | stats count by groupfield

Motivator

This results in a count by every value, so twice the amount of events.

0 Karma

Motivator

This seems to work:

| eval mv='field1."#".'field2'
| makemv delim="#" mv

| eval groupfield=mvsort(mv)
| makemv delim="#" groupfield

| stats count by groupfield

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!