Solved: Re: issue with multivalue field

ikenahim7 · ‎07-28-2022

Hi,

I have a json coming from CI with this template :

{"source":"1","sourcetype":"json","event":{"type":"build","id":"061","durartion":"48","run_id":"1","paths":["value1",".value2","value3"]}

the filed are listed in splunk as:

id, duration, sourcetype, paths{} and i can list all the values but my issue is i want to count paths{} (more then 11k values) I tried using mvcount as

| eval totalpaths = mvcount(paths) retuns nothing

| eval totalpaths = mvcount(paths{}) return 1

is there a way how i can return the number of total path ?

how i can list all paths ?

I tried using

| stats values(paths{}) as paths | stats count(eval(paths)) AS totalbazelpaths returns 378 while the actual value is above 11k.

when expanding paths{} field I can see all 11k paths.

what im doing wrong here?

thanks

yuanliu · ‎07-30-2022

Do you see these 11K paths{} values in a single event or a total in the search period (e.g., last 24 hours)? If the latter, you will need to add them up, like

 index="build-report" run_id="1" type="bazel" 
| eval totalpaths = mvcount('paths{}')
| stats sum(totalpaths)

or if you are looking for unique paths{} during the search period,

 index="build-report" run_id="1" type="bazel" 
| stats dc('paths{}')

View solution in original post

ikenahim7 · ‎07-30-2022

Im extending the query if you can help - see https://community.splunk.com/t5/Splunk-Search/Compare-two-search-results-and-list-difference-and-mat... 🙂 thanks

yuanliu · ‎07-28-2022

I imagine Splunk would give you field name event.paths{} instead of just paths{}? Either way, you need single quotes around field names containing special characters, like

| eval totalpaths = mvcount('event.paths{}')

or

| eval totalpaths = mvcount('paths{}')

or

| stats dc('paths{}') as paths
| stats sum(paths) as totalbezelpaths

and so on.

ikenahim7 · ‎07-28-2022

I tried

index="build-report" run_id="1" type="bazel"
| eval totalpaths = mvcount('paths{}')
| table totalpaths

returns 235 instead of 11k . what could be causing this ?

yuanliu · ‎07-30-2022

Do you see these 11K paths{} values in a single event or a total in the search period (e.g., last 24 hours)? If the latter, you will need to add them up, like

 index="build-report" run_id="1" type="bazel" 
| eval totalpaths = mvcount('paths{}')
| stats sum(totalpaths)

or if you are looking for unique paths{} during the search period,

 index="build-report" run_id="1" type="bazel" 
| stats dc('paths{}')

yuanliu · ‎07-31-2022

or if you are looking for unique paths{} during the search period,

 index="build-report" run_id="1" type="bazel" 
| stats dc('paths{}')

For future reference, stats() function cannot use single quoted field name directly. The above should be modified to something like

index="build-report" run_id="1" type="bazel" 
| stats dc(eval('paths{}')) as paths

ikenahim7 · ‎07-30-2022

The issue was with Splunk instance was limited to read 1000 character only. thanks for helping tho

ikenahim7 · ‎07-28-2022

Just tried it doesnt return any value

index="build_report" run_id="1" type="gradle"
| rename paths{} as path
| eval path_count=mvcount(split(path,","))-1
| table path_count

empty table 😕

chaker · ‎07-28-2022

Try using the example of mvcount() from docs:
https://docs.splunk.com/Documentation/SCS/current/SearchReference/MultivalueEvalFunctions#mvcount.28...

| eval To_count=mvcount(split(To,"@"))-1

| rename path{} as path
| eval path_count=mvcount(split(path,","))-1

How to search number of total path in multivalue field?

count

eval

field extraction

fields

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio