Hi @reverse ,
You could try the following search:
... [ your search stuff here ] ...
| eval V3 = mvcount(mvdedup(split(V2, " ")))
To address the individual counts by each value of V2:
... [ your search stuff here ] ...
| eval key = V1 . "|" . mvjoin(V2, "|")
| mvexpand V2
| eventstats count as V2_Count by V2 key
| eval V2P = V2 . " Count = " . V2_Count
| stats values(V2P) as V3 list(V2) as V2 by key
| eval V1 = mvindex(split(key, "|"), 0)
| table V1 V2 V3
Hi @reverse ,
You could try the following search:
... [ your search stuff here ] ...
| eval V3 = mvcount(mvdedup(split(V2, " ")))
To address the individual counts by each value of V2:
... [ your search stuff here ] ...
| eval key = V1 . "|" . mvjoin(V2, "|")
| mvexpand V2
| eventstats count as V2_Count by V2 key
| eval V2P = V2 . " Count = " . V2_Count
| stats values(V2P) as V3 list(V2) as V2 by key
| eval V1 = mvindex(split(key, "|"), 0)
| table V1 V2 V3
@jnudell_2- you rock!! amazing!
thanks .. but didn't work ... v2 is a list .. each item in a separate line.. so there was no need for split .. i removed it .. still didn't work ..
V3 gave me count of total distinct values .. i wanted count of each Xs.. Ys ans Zs... hope i am able to remove the confusion now..
I have updated the answer, given your clarification.
@Vijeta please guide.
| stats count(action) as V1, list(NAMES) as V2 by SOMETHING
ABOVE IS RESULT OF THIS