Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to count number of values in multi-valued fiel...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to count number of values in multi-valued field , dynamically?
vijay_k
Engager
08-29-2022
12:36 AM
<input type="multiselect" token="product_token" searchWhenChanged="true">
<label>Product types</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>*</initialValue>
<valuePrefix>DB_Product="*</valuePrefix>
<valueSuffix>*"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>DB_Product</fieldForLabel>
<fieldForValue>DB_Product</fieldForValue>
<search base="base_search_Products">
<query>|dedup DB_Product | table DB_Product</query>
</search>
</input>
This is my input multi select , thorugh which user select product Types example - All /A,B,C,D etc
I need to count, How many Product types are selcted by user . This info i need for further processing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
08-29-2022
08:22 AM
Are you looking for something like this? Just try this example.
<form version="1.1">
<label>Test</label>
<fieldset submitButton="false">
<input type="multiselect" token="product_token" searchWhenChanged="true">
<label>Product types</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>*</initialValue>
<valuePrefix>DB_Product="*</valuePrefix>
<valueSuffix>*"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>DB_Product</fieldForLabel>
<fieldForValue>DB_Product</fieldForValue>
<search>
<query>| makeresults count=10
| eval a=1
| accum a
| eval DB_Product="DB_PR_"+a | table DB_Product</query>
</search>
<change>
<condition match="$form.product_token$=="*"">
<eval token="tmp">$form.product_token$</eval>
<eval token="select_count">mvcount('form.product_token')</eval>
</condition>
<condition>
<eval token="tmp">mvcount('form.product_token')</eval>
<eval token="select_count">mvcount('form.product_token')</eval>
</condition>
</change>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults count=10
| eval a=1
| accum a
| eval DB_Product="DB_PR_"+a | table DB_Product
| search $product_token$
| eval count="$select_count$"</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
I hope this will help you.
Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
08-29-2022
01:02 AM
<change>
<eval token="select_count">mvcount('form.product_token')</eval>
</change>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vijay_k
Engager
08-29-2022
02:04 AM
<input type="multiselect" token="product_token" searchWhenChanged="true">
<label>Product types</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>*</initialValue>
<valuePrefix>DB_Product="*</valuePrefix>
<valueSuffix>*"</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>DB_Product</fieldForLabel>
<fieldForValue>DB_Product</fieldForValue>
<search base="base_search_Products">
<query>|dedup DB_Product | table DB_Product</query>
</search>
<change>
<eval token="select_count">mvcount('form.product_token')</eval>
</change>
</input>
I added change tag within input but it gives values NULL
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
08-29-2022
02:24 AM
How are you using the token?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vijay_k
Engager
08-29-2022
02:28 AM
index="example" source="Stash_test"|search $product_token$
|eval countn=$select_count$
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
