How to create a table showing the count of values ...

beaverjustin1 · ‎05-10-2023

If I have queries with Lists/Arrays containing events :

line.Data = [eventOne, eventThree]; line.Data = [eventOne, eventTwo];

How can I create a table that shows the count of the different events:

eventOne: 2

eventTwo: 1

eventThree: 1

ITWhisperer · ‎05-10-2023

Here is a runanywhere example of how you might approach this

| makeresults
| fields - _time
| eval line.Data = split("[eventOne, eventThree];[eventOne, eventTwo]",";")
| mvexpand line.Data
``` the lines above create sample events, one event per line.Data ```
| eval event=split(trim('line.Data',"[]"),", ")
| stats count by event

TrangCIC81 · ‎05-10-2023

Try this.

<your base search>
| mvexpand line.Data
| stats count by line.Data

Replace <your base search> with the search that produces the line.Data field containing the lists/arrays.
Use the mvexpand command to expand the line.Data field into separate rows, one for each event in the list.
Use the stats command with the count function to count the number of occurrences of each event.

How to create a table showing the count of values across Lists/Arrays in multiple queries?

chart

count

eval

field extraction

fields

stats

table

tstats

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...