Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to get the number of records of a field and sum up and show records more than one

wiggler
Explorer
‎03-21-2017 05:58 AM

Hi everyone. I would like to ask what is the function to get the number of records in a field?

So here's my scenario.

I use the search to get results below using transaction by username

|search *** transaction by username | table server_name, username, ipaddress

alt text

using the above results, i want to count the number of records in the ipaddress field and display the number of records but remove the field where ipaddress is less than 2 records.

I want this kind of output:

alt text

Thanks I hope someone can help me..

Preview file
3 KB
Preview file
3 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-21-2017 10:41 AM

In your case you can use mvcount() function for conting occurrences of multi-valued field.

| eval no_of_multiple_con=mvcount(ipaddress)

However, I would try to move away from transaction to stats command

 <YourBaseSearch> | stats values(server_name) as server_name values(ipaddress) as ipaddress count(ipaddress) as no_of_multiple_con dc(ipaddress) as disctinctIPCount by username

PS: Since you have not included server_name as your transaction ID, I would expect multiple Server Names to be returned as well. Hence I have used values() function.
Also I have included dc() function for distinct count of IP Addresses in case the same gets repeated.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-21-2017 10:41 AM

In your case you can use mvcount() function for conting occurrences of multi-valued field.

| eval no_of_multiple_con=mvcount(ipaddress)

However, I would try to move away from transaction to stats command

 <YourBaseSearch> | stats values(server_name) as server_name values(ipaddress) as ipaddress count(ipaddress) as no_of_multiple_con dc(ipaddress) as disctinctIPCount by username

PS: Since you have not included server_name as your transaction ID, I would expect multiple Server Names to be returned as well. Hence I have used values() function.
Also I have included dc() function for distinct count of IP Addresses in case the same gets repeated.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

wiggler
Explorer
‎03-21-2017 04:48 PM

@niketnilay.. thanks a lot.. it works 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-21-2017 07:22 PM

@wiggler... Glad it worked. Hope you are using stats as it would perform better than transaction as you might have seen 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

wiggler
Explorer
‎03-21-2017 08:30 PM

@niketnilay yeah much better than transaction. thank you very much

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...