Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get the count of unique values for a field ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aaron_Fogarty
Path Finder
04-25-2016
09:15 AM
I have a field named Visit that can have several vales: "Order Entry", "Order Reference" and 5 others. I want to count every Visit per event only once per value.
What I mean by this is that in Example one, the Visit count for this event will be only 1
and in Example two, the Visit count for the event will be 2.
Event Example one:
Client - User:123 - Visit="Order Entry" - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - New selection begin - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - New selection begin - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - Loading selection begin - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - Visit="Order Entry" - Apr 25, 2016, 9:34:58 AM EDT
Event Example two:
Client - User:456 - Visit="Order Entry" - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - New order begin - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - Visit="Order Reference" - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - Successful login. Failed login attempts 0.
Thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
04-25-2016
10:11 AM
Hi,
If your events are separated as you described above, you can try this:
your search here
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw
Example 1:
| stats count
| eval _raw = "
Client - User:123 - Visit=\"Order Entry\" - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - New selection begin - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - New selection begin - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - Loading selection begin - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - Visit=\"Order Entry\" - Apr 25, 2016, 9:34:58 AM EDT
"
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw
# visit_counts = 1
Example 2:
| stats count
| eval _raw = "
Client - User:456 - Visit=\"Order Entry\" - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - New order begin - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - Visit=\"Order Reference\" - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - Successful login. Failed login attempts 0.
"
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw
# visit_counts = 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
04-25-2016
10:11 AM
Hi,
If your events are separated as you described above, you can try this:
your search here
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw
Example 1:
| stats count
| eval _raw = "
Client - User:123 - Visit=\"Order Entry\" - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - New selection begin - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - New selection begin - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - Loading selection begin - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - Visit=\"Order Entry\" - Apr 25, 2016, 9:34:58 AM EDT
"
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw
# visit_counts = 1
Example 2:
| stats count
| eval _raw = "
Client - User:456 - Visit=\"Order Entry\" - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - New order begin - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - Visit=\"Order Reference\" - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - Successful login. Failed login attempts 0.
"
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw
# visit_counts = 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aaron_Fogarty
Path Finder
04-26-2016
02:14 AM
That is perfect javiergn. Exactly what I was looking to do. Cheers.
Get Updates on the Splunk Community!
Data Management Digest – November 2025
Welcome to the inaugural edition of Data Management Digest!
As your trusted partner in data innovation, the ...
Splunk Mobile: Your Brand-New Home Screen
Meet Your New Mobile Hub
Hello Splunk Community!
Staying connected to your data—no matter where you are—is ...
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...
