Splunk Search

How to search number of total path in multivalue field?

ikenahim7
Explorer

Hi,

I have a json coming from CI with this template :

{"source":"1","sourcetype":"json","event":{"type":"build","id":"061","durartion":"48","run_id":"1","paths":["value1",".value2","value3"]}

the filed are listed in splunk as:

id, duration, sourcetype, paths{} and i can list all the values but my issue is i want to count paths{} (more then 11k values)  I tried using mvcount as 

| eval totalpaths = mvcount(paths) retuns nothing

| eval totalpaths = mvcount(paths{}) return 1

is there a way how i can return the number of total path ? 

how i can list all paths ?

I tried using 

| stats values(paths{}) as paths | stats count(eval(paths)) AS totalbazelpaths returns 378 while the actual value is above 11k. 

when expanding paths{} field I can see all 11k paths.

what im doing wrong here?

thanks

 

 

Labels (4)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Do you see these 11K paths{} values in a single event or a total in the search period (e.g., last 24 hours)?  If the latter, you will need to add them up, like

 index="build-report" run_id="1" type="bazel" 
| eval totalpaths = mvcount('paths{}')
| stats sum(totalpaths)

or if you are looking for unique paths{} during the search period,

 index="build-report" run_id="1" type="bazel" 
| stats dc('paths{}')

View solution in original post

0 Karma

ikenahim7
Explorer
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I imagine Splunk would give you field name event.paths{} instead of just paths{}?  Either way, you need single quotes around field names containing special characters, like

 

| eval totalpaths = mvcount('event.paths{}')

 

or

 

| eval totalpaths = mvcount('paths{}')

 

 or 

 

| stats dc('paths{}') as paths
| stats sum(paths) as totalbezelpaths

 

and so on.

ikenahim7
Explorer

I tried

 index="build-report" run_id="1" type="bazel" 
| eval totalpaths = mvcount('paths{}')
| table totalpaths

returns 235 instead of 11k . what could be causing this ?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Do you see these 11K paths{} values in a single event or a total in the search period (e.g., last 24 hours)?  If the latter, you will need to add them up, like

 index="build-report" run_id="1" type="bazel" 
| eval totalpaths = mvcount('paths{}')
| stats sum(totalpaths)

or if you are looking for unique paths{} during the search period,

 index="build-report" run_id="1" type="bazel" 
| stats dc('paths{}')

0 Karma

yuanliu
SplunkTrust
SplunkTrust

or if you are looking for unique paths{} during the search period,

 

 index="build-report" run_id="1" type="bazel" 
| stats dc('paths{}')

 



For future reference, stats() function cannot use single quoted field name directly.  The above should be modified to something like

 

index="build-report" run_id="1" type="bazel" 
| stats dc(eval('paths{}')) as paths

 

  

0 Karma

ikenahim7
Explorer

The issue was with Splunk instance was limited to read 1000 character only. thanks for helping tho 

0 Karma

ikenahim7
Explorer

Just tried it doesnt return any value 

 

index="build_report" run_id="1" type="gradle"
| rename paths{} as path
| eval path_count=mvcount(split(path,","))-1
| table path_count 

 

empty table 😕 

0 Karma

chaker
Contributor

Try using the example of mvcount() from docs:
https://docs.splunk.com/Documentation/SCS/current/SearchReference/MultivalueEvalFunctions#mvcount.28...

| eval To_count=mvcount(split(To,"@"))-1

| rename path{} as path
| eval path_count=mvcount(split(path,","))-1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...