Splunk Search

How to get counts of events matching only particular value pattern from multi valued field

arrangineni
Path Finder

I am trying to get counts of events that match only a particular field value pattern from a multi-valued field.

Multi valued field values like:
name=abc;name=12345;name=246
name=12344
name=246;name=abc
name=12378

Need counts of events which only contains field values containing name=123* and ignore the once which are combination of others?

I did try the below but it includes all events containing name=123*
| makemv delim=";" multivalued-field
| rex field=multivalued-field "name=(?P[^,]+),"
| search whatineed="123*"

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw="raw
name=abc;name=12345;name=246
name=12344
name=246;name=abc
name=12378
name=12378;name=12379" 
| multikv forceheader=1 
| rex max_match=0 "name=(?<name>[^;]+)" 
| rename COMMENT as "this is sample. form here, the logic" 
| table name 
| rename COMMENT as "please check this result" 
| eval names=mvmap(name,if(match(name,"^123"),1,0)) 
| streamstats window=1 sum(names) as sums 
| where mvcount(names) = sums 
| stats count
0 Karma

arrangineni
Path Finder

@to4kawa thanks for assisting, but using the above approach I am also getting the count for " name=abc;name=12345;name=246" which I don't need.

I am looking for counts which ONLY included values 123* and ignore other combinations. But combination of 123* and 123* is valid.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...