Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using variables in mvfilter with match or how to get an mvdistinctcount(var)

chris
Motivator
‎01-27-2011 03:43 PM

Hi everyone

We would like to be able to find out if a certain field which occurs several times in a transaction changes its value during that transaction (e.g. the browser language changes during a session)

We have a rex that grabs all the values into a mv-field. What we would like to do now is a: mvdistinctcount(mvfield) -> if the result is bigger than 1 we win.

We thought that doing this would accomplish the same: 

... | eval first_element=mvindex(my_WT_ul,0) 
| eval same_ul = mvfilter(match(my_WT_ul, first_element)) 
| eval lang_change=mvcount(my_WT_ul)-mvcount(same_ul)

The idea here being if all the values are equal to the first value in the field we will get a list that has the same length as the original otherwise we don't

But the mvfilter does not like fields in the match function if we supply a static string we are ok.

This is the error message we get:

Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.

Any ideas?

Cheers Chris

Reply
1 Solution
Solved! Jump to solution
Solution

sophy
Splunk Employee
Splunk Employee
‎01-27-2011 05:10 PM

Hi Chris,

There is also a stats function, values(), that you could try. It returns the list of all distinct values of the multivalue field. So, your search could include something like:

... | stats values(mvfield) AS mvfieldvalues | where count(mvfieldvalues) > 1

You can read more about stats functions in the search reference manual.

View solution in original post

Reply
Solved! Jump to solution
Solution

sophy
Splunk Employee
Splunk Employee
‎01-27-2011 05:10 PM

Hi Chris,

There is also a stats function, values(), that you could try. It returns the list of all distinct values of the multivalue field. So, your search could include something like:

... | stats values(mvfield) AS mvfieldvalues | where count(mvfieldvalues) > 1

You can read more about stats functions in the search reference manual.

Reply
Solved! Jump to solution

sophy
Splunk Employee
Splunk Employee
‎01-28-2011 05:07 PM

even better! (^_^)/

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎01-28-2011 08:31 AM

Hi sophy, thanks for your solution. What worked for me in the end was this: ... | eventstats values(mvfield) as mvfieldvalues by mvfield | where mvcount(mvfieldvalues) > 1

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...