Solved: Re: count events in multivalue field

perlish · ‎12-18-2017

Hi,
I want to deal the multivalue field to get the counts whch is satisfied the conditions I set. For example, in the following picture, I want to get search result of (myfield>44) in one event.

kamlesh_vaghela · ‎12-18-2017

HI

Can you please try this?

YOUR_SEARCH
| eval myfield=mvfilter(myfield>44) 
| eval n=mvcount(myfield)

My Sample search:

| makeresults 
| eval myfield="10,20,30,40" 
| makemv delim="," myfield 
| eval myfield=mvfilter(myfield>20) 
| eval n=mvcount(myfield)

Thanks

View solution in original post

cmerriman · ‎12-18-2017

try this:

|eval myfield_count=mvcount(mvfilter(myfield>44))

perlish · ‎12-18-2017

Thanks! It works!

kamlesh_vaghela · ‎12-18-2017

HI

Can you please try this?

YOUR_SEARCH
| eval myfield=mvfilter(myfield>44) 
| eval n=mvcount(myfield)

My Sample search:

| makeresults 
| eval myfield="10,20,30,40" 
| makemv delim="," myfield 
| eval myfield=mvfilter(myfield>20) 
| eval n=mvcount(myfield)

Thanks

perlish · ‎12-18-2017

It works,thank you!
While I have another question, it seems that splunk parse the float to string sometimes, and because of this problem, the mvfilter function may become invalid. How can I solve it in this situation?

kamlesh_vaghela · ‎12-19-2017

Hih @perlish

Can you please share events or sample data which causes an error?

perlish · ‎12-19-2017

I'm sorry that I don't have the sample data. When I tried to solve the question I asked ,I used nomv() method and found that the single value's type is string. Therefore, I asked the following question.

andrey2007 · ‎12-18-2017

try this command
| eval n=mvcount(myfield)

count events in multivalue field

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services