Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

count duplicate instances of multivalue field

splunkbacon
Explorer
‎03-20-2019 11:52 AM

Hello.

I have events that have a field "Security_ID" that is a multi value field. It may contain something like:

NULL SID
user1

within that one field. I have found some commands to work with multivalue fields but what I am struggling with it trying to get a count.

If I have an event with Security_ID containing (user1 and NULL SID) and another event with (user2 and NULL SID) - how can I get a table that contains the stats with a count of how many times each of those combinations shows up?

ie i want a table looking like this:

Row 1: user1 NULLSID 5
Row 2: user2 NULLSID 7

Tags (2)
0 Karma
Reply

vnravikumar
Champion
‎03-20-2019 09:27 PM

Hi

Try this

| makeresults 
| eval Security_ID ="NULL SID,user1" 
| append 
    [| makeresults 
    | eval Security_ID ="NULL SID,user2"] 
| append 
    [| makeresults 
    | eval Security_ID ="NULL SID,user2"] 
| append 
    [| makeresults 
    | eval Security_ID ="NULL SID,user3"] 
| makemv delim="," Security_ID 
| eval temp =mvjoin(Security_ID,",") 
| rex field=temp "(?P<sid>.+)\,(?P<user>.+)" 
| stats count by sid, user
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...