Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple value for the same field in one event.How to determine statistics

prettysunshinez
Explorer
‎03-11-2020 01:54 AM

I have an event having 3 errors..
I have a regular expression written to capture the error as "ERROR".
And now i have a lookup file and I input the ERROR value and output Comments for the respective error.

I do not have issues when there is just one value for ERROR field in one event(i.e., if there is only one error in a event)
But when there are more than one error,then i get the result as below.
Kindly help..

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-16-2020 03:25 AM

Expand ERROR values before lookup command.

index= |(regular expression to catch the error from the logs as ERROR) | mvexpand ERROR | lookup abc.csv ERROR output Comments |stats count by Comments

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎03-16-2020 03:25 AM

Expand ERROR values before lookup command.

index= |(regular expression to catch the error from the logs as ERROR) | mvexpand ERROR | lookup abc.csv ERROR output Comments |stats count by Comments
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-14-2020 01:36 PM

What you are describing is not possible unless you have a Lookup Definition with some extra settings in it. It is pointless to continue without you spelling out everything including at least 2 lines of your Lookup File and your search SPL and your Lookup Definition.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-11-2020 01:53 PM 
index=your_index 
|(regular expression to catch the error from the logs as ERROR) 
| stats count by ERROR
| lookup abc.csv ERROR output Comments

I see, this query excludes same ERROR
How about this?

In your last comment, |stats count by Comments
This result is following:

Comments count
abc  3
bcd  1
....

This result is not your first expect result.
Which do you want?

0 Karma
Reply
Solved! Jump to solution

prettysunshinez
Explorer
‎03-11-2020 11:01 PM

Am sorry I missed it..
I get the error also as part of output from lookup file..and i do statistics count and values based on ERROR..

0 Karma
Reply
Solved! Jump to solution

prettysunshinez
Explorer
‎03-11-2020 09:02 AM

index= |(regular expression to catch the error from the logs as ERROR) | lookup abc.csv ERROR output Comments |stats count by Comments

abc.csv:
ERROR Comments
Error1 abc
Error2 abc
Error3 bcd
Error4 bed
Error5 abc

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-22-2020 11:43 AM

Why are you being so vauge? Show us ALL of your search! The rex part is probably THE MOST IMPORTANT PART and yet you stripped it!?!?

0 Karma
Reply
Solved! Jump to solution

prettysunshinez
Explorer
‎03-11-2020 11:02 AM

Regular followed by max_match=0..
In order to capture all the occurences of ERROR

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-22-2020 11:44 AM

SHOW US THE FULL SEARCH SPL and a few sample events.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-11-2020 08:08 AM

can you post your query?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎03-11-2020 06:38 AM

"ERROR" field is multivalue?

0 Karma
Reply
Solved! Jump to solution

prettysunshinez
Explorer
‎03-11-2020 07:43 AM

Single value only

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...

Application management with Targeted Application Install for Victoria Experience

Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...