Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using variables in mvfilter with match or how to get an mvdistinctcount(var)

chris
Motivator
‎01-27-2011 03:43 PM

Hi everyone

We would like to be able to find out if a certain field which occurs several times in a transaction changes its value during that transaction (e.g. the browser language changes during a session)

We have a rex that grabs all the values into a mv-field. What we would like to do now is a: mvdistinctcount(mvfield) -> if the result is bigger than 1 we win.

We thought that doing this would accomplish the same: 

... | eval first_element=mvindex(my_WT_ul,0) 
| eval same_ul = mvfilter(match(my_WT_ul, first_element)) 
| eval lang_change=mvcount(my_WT_ul)-mvcount(same_ul)

The idea here being if all the values are equal to the first value in the field we will get a list that has the same length as the original otherwise we don't

But the mvfilter does not like fields in the match function if we supply a static string we are ok.

This is the error message we get:

Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.

Any ideas?

Cheers Chris

Reply
1 Solution
Solved! Jump to solution
Solution

sophy
Splunk Employee
Splunk Employee
‎01-27-2011 05:10 PM

Hi Chris,

There is also a stats function, values(), that you could try. It returns the list of all distinct values of the multivalue field. So, your search could include something like:

... | stats values(mvfield) AS mvfieldvalues | where count(mvfieldvalues) > 1

You can read more about stats functions in the search reference manual.

View solution in original post

Reply
Solved! Jump to solution
Solution

sophy
Splunk Employee
Splunk Employee
‎01-27-2011 05:10 PM

Hi Chris,

There is also a stats function, values(), that you could try. It returns the list of all distinct values of the multivalue field. So, your search could include something like:

... | stats values(mvfield) AS mvfieldvalues | where count(mvfieldvalues) > 1

You can read more about stats functions in the search reference manual.

Reply
Solved! Jump to solution

sophy
Splunk Employee
Splunk Employee
‎01-28-2011 05:07 PM

even better! (^_^)/

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎01-28-2011 08:31 AM

Hi sophy, thanks for your solution. What worked for me in the end was this: ... | eventstats values(mvfield) as mvfieldvalues by mvfield | where mvcount(mvfieldvalues) > 1

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...