Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to count numbers of recipients in stanza?

lucas4394
Path Finder
‎12-30-2019 10:25 AM

I have a recipient field containing a list of recipient delimited by a comma.

What is the best way to calculate the total number of recipients from the recipient field?

Thanks.

For instance, if the recipient contains the following email, I want to create a calculated field, recipient_count, and the value is 2 from the sample.

john_doe@xyz.com, doe_john@abc.com
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aberkow
Builder
‎12-30-2019 10:30 AM

Something like this should work:

| makeresults count=1 
| eval emails = "john_doe@xyz.com, doe_john@abc.com" 
| eval emailMultiValue=split(emails, ", ")
| eval emailMultiValueCount=mvcount(emailMultiValue)

The last two lines are what you need - splitting the emails field into a multivalue field (either overwriting or creating a new multivalue field), and then counting the rows. There are some other ways to do this as well but I think it's the cleanest. Take a look at the functions in the eval command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval#Usage to see all the things it can do!

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

aberkow
Builder
‎12-30-2019 10:30 AM

Something like this should work:

| makeresults count=1 
| eval emails = "john_doe@xyz.com, doe_john@abc.com" 
| eval emailMultiValue=split(emails, ", ")
| eval emailMultiValueCount=mvcount(emailMultiValue)

The last two lines are what you need - splitting the emails field into a multivalue field (either overwriting or creating a new multivalue field), and then counting the rows. There are some other ways to do this as well but I think it's the cleanest. Take a look at the functions in the eval command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval#Usage to see all the things it can do!

Hope this helps.

Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top