Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using variables in mvfilter with match or how to get an mvdistinctcount(var)

chris
Motivator
‎01-27-2011 03:43 PM

Hi everyone

We would like to be able to find out if a certain field which occurs several times in a transaction changes its value during that transaction (e.g. the browser language changes during a session)

We have a rex that grabs all the values into a mv-field. What we would like to do now is a: mvdistinctcount(mvfield) -> if the result is bigger than 1 we win.

We thought that doing this would accomplish the same: 

... | eval first_element=mvindex(my_WT_ul,0) 
| eval same_ul = mvfilter(match(my_WT_ul, first_element)) 
| eval lang_change=mvcount(my_WT_ul)-mvcount(same_ul)

The idea here being if all the values are equal to the first value in the field we will get a list that has the same length as the original otherwise we don't

But the mvfilter does not like fields in the match function if we supply a static string we are ok.

This is the error message we get:

Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.

Any ideas?

Cheers Chris

Reply
1 Solution
Solved! Jump to solution
Solution

sophy
Splunk Employee
Splunk Employee
‎01-27-2011 05:10 PM

Hi Chris,

There is also a stats function, values(), that you could try. It returns the list of all distinct values of the multivalue field. So, your search could include something like:

... | stats values(mvfield) AS mvfieldvalues | where count(mvfieldvalues) > 1

You can read more about stats functions in the search reference manual.

View solution in original post

Reply
Solved! Jump to solution
Solution

sophy
Splunk Employee
Splunk Employee
‎01-27-2011 05:10 PM

Hi Chris,

There is also a stats function, values(), that you could try. It returns the list of all distinct values of the multivalue field. So, your search could include something like:

... | stats values(mvfield) AS mvfieldvalues | where count(mvfieldvalues) > 1

You can read more about stats functions in the search reference manual.

Reply
Solved! Jump to solution

sophy
Splunk Employee
Splunk Employee
‎01-28-2011 05:07 PM

even better! (^_^)/

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎01-28-2011 08:31 AM

Hi sophy, thanks for your solution. What worked for me in the end was this: ... | eventstats values(mvfield) as mvfieldvalues by mvfield | where mvcount(mvfieldvalues) > 1

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...