Solved: How to search the count of a field's values in a c...

heming277 · ‎04-13-2016

Hi,

I have a serious problem. I'm trying to get the counts of all the values for a field in a comma delimited list, but seems Splunk only picks up the first value, so I cannot use stats count by Fieldname to show it directly.

Part of the search is this:

&fieldA=a,b,c,d&fieldB=a,b,c,d HTTP/1.1" 200

How do I get all the counts for a, b, c, d and output the count in a table?

For example:

Field A

a 20
b 22
c 23
d 24

Please suggest a search, thanks.

somesoni2 · ‎04-13-2016

Try like this (assuming the field names are fixed, e.g. fieldA fieldB etc.)

your base search | rex field=_raw "fieldA=(?<fieldA>[^&\s]+)" | makemv fieldA delim="," | stats count by fieldA

View solution in original post

somesoni2 · ‎04-13-2016

Try like this (assuming the field names are fixed, e.g. fieldA fieldB etc.)

your base search | rex field=_raw "fieldA=(?<fieldA>[^&\s]+)" | makemv fieldA delim="," | stats count by fieldA

heming277 · ‎04-13-2016

thank you! it seems to work

How to search the count of a field's values in a comma delimited list and display it as a table?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

How to search the count of a field's values in a comma delimited list and display it as a table?

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!