Hi,
I have a json coming from CI with this template :
{"source":"1","sourcetype":"json","event":{"type":"build","id":"061","durartion":"48","run_id":"1","paths":["value1",".value2","value3"]}
the filed are listed in splunk as:
id, duration, sourcetype, paths{} and i can list all the values but my issue is i want to count paths{} (more then 11k values) I tried using mvcount as
| eval totalpaths = mvcount(paths) retuns nothing
| eval totalpaths = mvcount(paths{}) return 1
is there a way how i can return the number of total path ?
how i can list all paths ?
I tried using
| stats values(paths{}) as paths | stats count(eval(paths)) AS totalbazelpaths returns 378 while the actual value is above 11k.
when expanding paths{} field I can see all 11k paths.
what im doing wrong here?
thanks
Do you see these 11K paths{} values in a single event or a total in the search period (e.g., last 24 hours)? If the latter, you will need to add them up, like
index="build-report" run_id="1" type="bazel"
| eval totalpaths = mvcount('paths{}')
| stats sum(totalpaths)
or if you are looking for unique paths{} during the search period,
index="build-report" run_id="1" type="bazel"
| stats dc('paths{}')
Im extending the query if you can help - see https://community.splunk.com/t5/Splunk-Search/Compare-two-search-results-and-list-difference-and-mat... 🙂 thanks
I imagine Splunk would give you field name event.paths{} instead of just paths{}? Either way, you need single quotes around field names containing special characters, like
| eval totalpaths = mvcount('event.paths{}')
or
| eval totalpaths = mvcount('paths{}')
or
| stats dc('paths{}') as paths
| stats sum(paths) as totalbezelpaths
and so on.
I tried
index="build-report" run_id="1" type="bazel"
| eval totalpaths = mvcount('paths{}')
| table totalpaths
returns 235 instead of 11k . what could be causing this ?
Do you see these 11K paths{} values in a single event or a total in the search period (e.g., last 24 hours)? If the latter, you will need to add them up, like
index="build-report" run_id="1" type="bazel"
| eval totalpaths = mvcount('paths{}')
| stats sum(totalpaths)
or if you are looking for unique paths{} during the search period,
index="build-report" run_id="1" type="bazel"
| stats dc('paths{}')
or if you are looking for unique paths{} during the search period,
index="build-report" run_id="1" type="bazel"
| stats dc('paths{}')
For future reference, stats() function cannot use single quoted field name directly. The above should be modified to something like
index="build-report" run_id="1" type="bazel"
| stats dc(eval('paths{}')) as paths
The issue was with Splunk instance was limited to read 1000 character only. thanks for helping tho
Just tried it doesnt return any value
index="build_report" run_id="1" type="gradle"
| rename paths{} as path
| eval path_count=mvcount(split(path,","))-1
| table path_count
empty table 😕
Try using the example of mvcount() from docs:
https://docs.splunk.com/Documentation/SCS/current/SearchReference/MultivalueEvalFunctions#mvcount.28...
| eval To_count=mvcount(split(To,"@"))-1
| rename path{} as path
| eval path_count=mvcount(split(path,","))-1