count duplicate instances of multivalue field

splunkbacon · ‎03-20-2019

Hello.

I have events that have a field "Security_ID" that is a multi value field. It may contain something like:

NULL SID
user1

within that one field. I have found some commands to work with multivalue fields but what I am struggling with it trying to get a count.

If I have an event with Security_ID containing (user1 and NULL SID) and another event with (user2 and NULL SID) - how can I get a table that contains the stats with a count of how many times each of those combinations shows up?

ie i want a table looking like this:

Row 1: user1 NULLSID 5
Row 2: user2 NULLSID 7

vnravikumar · ‎03-20-2019

Hi

Try this

| makeresults 
| eval Security_ID ="NULL SID,user1" 
| append 
    [| makeresults 
    | eval Security_ID ="NULL SID,user2"] 
| append 
    [| makeresults 
    | eval Security_ID ="NULL SID,user2"] 
| append 
    [| makeresults 
    | eval Security_ID ="NULL SID,user3"] 
| makemv delim="," Security_ID 
| eval temp =mvjoin(Security_ID,",") 
| rex field=temp "(?P<sid>.+)\,(?P<user>.+)" 
| stats count by sid, user

count duplicate instances of multivalue field

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

count duplicate instances of multivalue field

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem