Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search the count of field value occurrences, not event count, of multivalue fields in multiline events?

masonmorales
Influencer
‎03-06-2015 01:47 PM

I have multiline events that contain anywhere from 1 to 30 status codes per event. For example:

status = success
status = success
status = failed
status = success

By default, I get a single field called "status" that contains a count of how many times "success" occurred and how many times "failed" occurred.

I would like to have two separate numerical fields, one called success_count and the other called failed_count that contain a count of how many times each value of the "status" field occurred per event (i.e. success_count=3, failed_count=1 in this example).

I have tried:

| stats count(eval(status="success")) as success_count, count(eval(status="failed")) as failed_count

However, the resulting counts appear to be the number of events that contain success_count and the number of events that contain failed_count, rather than a total count of all the field value occurrences for status=failed and status=success within each event.

Any help would be greatly appreciated!

Reply
1 Solution
Solved! Jump to solution
Solution

ramdaspr
Contributor
‎03-08-2015 09:09 PM

Assuming you have a mutivalue field called status the below (untested) code might work.

 .. | eval foo=mvfilter(match(status,"success")) | eval bar=mvfilter(match(status,"failed")) | streamstats window=1 current=t count(foo) as success_count,count(bar) as failed_count | table status,success_count,failed_count

View solution in original post

Reply
Solved! Jump to solution

ppablo
Retired
‎03-16-2015 12:23 PM

Hi @masonmorales

Just following up with this question, but did @ramdaspr's answer below help solve your question? If yes, please resolve this post by clicking "Accept" directly below the answer. If you found another solution that did work, please share. Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

ramdaspr
Contributor
‎03-08-2015 09:09 PM

Assuming you have a mutivalue field called status the below (untested) code might work.

 .. | eval foo=mvfilter(match(status,"success")) | eval bar=mvfilter(match(status,"failed")) | streamstats window=1 current=t count(foo) as success_count,count(bar) as failed_count | table status,success_count,failed_count
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...