Splunk Search

Is it possible to count the number of times a field occurs within a transaction?

New Member

Is it possible to get the number of times a Field occurs within an event?

I've read posts on how to arrive at unique values of a Field using mvcount. In my case however I have custom logging that includes the same field=value across multiple lines. I'm trying to find a way of counting the number of times this Field occurs within the transaction, so that I can afterwards filter, perhaps with a where clause, based on that that count.

Example logging:

(1)
RequestId=123 RequestType=A
RequestId=123 Consolidate=True
RequestId=123 RequestType=A
RequestId=123 Consolidate=True

(2)
RequestId=456 RequestType=A
RequestId=456 RequestType=A
RequestId=456 Consolidate=True

I'm trying to arrive at a search that can build a transaction with RequestId where the count (number of occurrences of Consolidate) is 2. So the search would return the transaction with RequestId 123 but not 456. Hoping this makes sense.

0 Karma
1 Solution

Super Champion

try:

...|eventstats count(eval(match(Consolidate,"True"))) as ConsolidateTrue|search ConsolidateTrue=2

you could add another count if you want False, also.

View solution in original post

0 Karma

Esteemed Legend

Add this to the end of your search:

| rex max_match=0 "(?<mvc>RequestId=123 Consolidate=True)" | where mvcount(mvc) > 2
0 Karma

Super Champion

try:

...|eventstats count(eval(match(Consolidate,"True"))) as ConsolidateTrue|search ConsolidateTrue=2

you could add another count if you want False, also.

View solution in original post

0 Karma

New Member

thank you cmerriman.

eventstats is gathering the total count of Consolidate=True across all events. Is it possible to get the count by individual transaction? Using the logging example, this search.....

index=myindex | transaction RequestId | eventstats count(eval(match(Consolidate,"True"))) as ConsolidateTrue| table RequestId ConsolidateTrue

returns

RequestId   ConsolidateTrue
123               3
456               3

I'm trying to find a way of identifying RequestId 123 has 2 Consolidate fields, and 456 only has 1 (so that I can filter this event out)

Any ideas?

0 Karma

Super Champion

sorry, try adding by RequestId in the eventstats.

index=myindex | transaction RequestId | eventstats count(eval(match(Consolidate,"True"))) as ConsolidateTrue by RequestId| table RequestId ConsolidateTrue
0 Karma

New Member

thank you very much! That was the missing piece, plus I had to move the eventstats prior to the transaction clause. I suppose given the same field=value, when in the context of the transaction it is seen as 1 occurrence of Consolidate in the event.

final query:

 index=myindex | eventstats count(eval(match(Consolidate,"True"))) as ConsolidateTrue by RequestId| transaction RequestId |  table RequestId ConsolidateTrue

results in

 RequestId   ConsolidateTrue
 123               2
 456               1

thank you for the assist cmerriman!!!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!