count duplicate instances of multivalue field

splunkbacon · ‎03-20-2019

Hello.

I have events that have a field "Security_ID" that is a multi value field. It may contain something like:

NULL SID
user1

within that one field. I have found some commands to work with multivalue fields but what I am struggling with it trying to get a count.

If I have an event with Security_ID containing (user1 and NULL SID) and another event with (user2 and NULL SID) - how can I get a table that contains the stats with a count of how many times each of those combinations shows up?

ie i want a table looking like this:

Row 1: user1 NULLSID 5
Row 2: user2 NULLSID 7

vnravikumar · ‎03-20-2019

Hi

Try this

| makeresults 
| eval Security_ID ="NULL SID,user1" 
| append 
    [| makeresults 
    | eval Security_ID ="NULL SID,user2"] 
| append 
    [| makeresults 
    | eval Security_ID ="NULL SID,user2"] 
| append 
    [| makeresults 
    | eval Security_ID ="NULL SID,user3"] 
| makemv delim="," Security_ID 
| eval temp =mvjoin(Security_ID,",") 
| rex field=temp "(?P<sid>.+)\,(?P<user>.+)" 
| stats count by sid, user

count duplicate instances of multivalue field

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

count duplicate instances of multivalue field

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience