Splunk Search

How to write a search to get an accurate count of fields with the same name in a single event?

Lindaiyu
Path Finder

Hello Splunkers,

Here is my sample event:

ID=000, GROUP="A", GROUP="B", TYPE="NA"
ID=001, GROUP="A", TYPE="NB"

The problem is when I use the search command:

    ...|stats count by GROUP

I will get this result in Splunk:

GROUP          count
A              2

While what I really want to get is:

GROUP          count
A              2
B              1

I think the problem is that the field GROUP can have multiple values per event, and Splunk just takes the first as its value. Since I can't change the source data, what can I do with this situation?

Thank you very much for your attention.
Daiyu

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try as well (in-line with search)

your base search | table _raw | extract kvdelim="=" mv_add=t | stats count by group

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try as well (in-line with search)

your base search | table _raw | extract kvdelim="=" mv_add=t | stats count by group

Lindaiyu
Path Finder

it works and thank you very much for you help!

0 Karma

woodcock
Esteemed Legend

If using rex then add max_match=0; if using props.conf, then add MV_ADD=1

0 Karma

Lindaiyu
Path Finder

thank you very much for you help!

0 Karma

jplumsdaine22
Influencer

You can try extracting GROUP as a multivalued field with the rex command. This may work:

 <your search> | rex max_match=0 "GROUP=\"(?<group>[^\"])" | mvexpand group | stats count by group

The rex command (http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Rex) will extract a new field. Setting max_match to 0 means rex will not stop at the first match, and it will combine the results in a multivalued field. In your example, your events will now look like this:

 ID       TYPE    group
-------------------------------
 000       NA       A
                    B
--------------------------------
 001       NB       A

mvexpand (http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Mvexpand) will split the multivalue fields, so now you will have three events, like so:

 ID       TYPE    group
-------------------------------
 000       NA       A
-------------------------------
 000       NA       B
--------------------------------
 001       NB       A

Now your stats commands will work the way you want. For regex help try https://regex101.com/

0 Karma

Lindaiyu
Path Finder

thank you very much for you help! I really learn something!

0 Karma

sundareshr
Legend

Try this

.... |  rex max_match=0 "GROUP=\"(?<group>[^\"]+)" | mvexpand group | stats count by group
0 Karma

Lindaiyu
Path Finder

Thank you very much!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...