Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract 2 multivalue fields and search the list of each fieldA that has more than one fieldB?

rafiqul_ahsan
New Member
‎06-12-2015 09:25 AM

From following search result - I want to extract User-Name and Calling-Station-Id, and both fields have multiple values. Once I am able to extract the fields, I will then need to find the list of Calling-Station-Id and User-Name, that meets following criteria :
"The same Calling-Station-Id has more than one User-Name". I will then need to see the trend of new Calling-Station-Id that matches this criteria. What's the best way to address this problem? Can anyone please help ?

2015/06/12 09:59:12.196 (Notice) Skipping AVP AAA-Value-0=  [1] = {(User-Name)=(!afsheen77@aaa.twcwifi.com),(Framed-IP-Address)=(10.106.42.82),(NAS-IP-Address)=(24.27.229.164),(NAS-Identifier)=(nycmny83-cr02ras03.wifi.rr.com),(NAS-Port)=(0),(NAS-Port-Id)=(0/0/0/201),(NAS-Port-Type)=(Virtual),(Calling-Station-Id)=(78-4b-87-e8-0e-10),(Called-Station-Id)=(F0-B0-52-37-D8-E0:TWCWiFi),(Class)=(VISITEDMSO\=}
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎06-12-2015 09:47 AM

I didn't it test it at all, but something like this maybe. 

[your initial search] | rex "User-Name\)=\((?<user>[^\)]+)" | rex "Calling-Station-Id\)=\((?<station>[^\)]+)" | stats dc(user) as user_count by station | where user_count > 1

View solution in original post

Reply
Solved! Jump to solution
Solution

maciep
Champion
‎06-12-2015 09:47 AM

I didn't it test it at all, but something like this maybe. 

[your initial search] | rex "User-Name\)=\((?<user>[^\)]+)" | rex "Calling-Station-Id\)=\((?<station>[^\)]+)" | stats dc(user) as user_count by station | where user_count > 1
Reply
Solved! Jump to solution

rafiqul_ahsan
New Member
‎06-12-2015 11:28 AM

Thanks this worked. the 2nd thing I wanted to do is to chart (may be timechart) the station counts by time. This way I can tell how many new stations are matching this criteria over time.

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎06-15-2015 04:15 AM

I'm not sure how many stations you have, so the chart could be a little busy, but maybe just something like this?

[your initial search] | rex "User-Name)=((?[^)]+)" | rex "Calling-Station-Id)=((?[^)]+)" | timechart dc(user) as user_count by station

You could still pipe to where at the end too if you only want to see those that stations that have multiple users. It's really just a matter of exactly what you want to see on the timechart.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-12-2015 09:46 AM

Assuming you already have the field-extractions working, this will work for the first part:

... | stats dc(User-Name) AS numUsers values(User-Name) AS UserNames BY Calling-Station-Id | where users > 1

As for this part:

I will then need to see the trend of new Calling-Station-Id that matches this criteria.

I have no idea what you mean; you will have to be much more clear.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...