Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use mvcount to get the accurate count of a keyword by source

skakani114
New Member
‎09-23-2019 02:42 PM

I have logs that have a keyword "*CLP" repeated multiple times in each event. I am trying the get the total counts of CLP in each event. here is the search I am using. The problem I am facing is this search is working fine with small size events but when it comes to large events with more CLP counts, the results are not accurate. please help me to get the accurate count?

index="idx" source="*TAPSSC_123.123"  "*CLP*" |eval tokens = lower(replace(_raw, "\W+", " ")) |makemv tokens |eval matches = mvfilter(match(tokens, "^clp$")) |eval count_CLP = mvcount(matches) |stats sum(count_CLP) as CLP_count by source

Log sample:
You will see CLP keyword like that repeated multiple times in an event.
abvfyatfpwutnqwa25~CLP*k123456*1REF*6T*P1282158997301~AMT*c120~CLP*P11802586130*1*356612125491516

0 Karma
Reply

renjith_nair
Legend
‎09-23-2019 09:36 PM

@skakani114 ,

Try this and test against your data

index="idx" source="*TAPSSC_123.123" "CLP"
|rex field=_raw max_match=0 "(?<clps>(?i)(CLP))"|stats count by clps
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

skakani114
New Member
‎09-25-2019 11:47 AM

Thankyou so much for you help. i use this query and i am still not getting the accurate result. could you please suggest how to proceed?
is there any limits.conf to check ?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...