Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to get the number of records of a field and sum up and show records more than one

wiggler
Explorer
‎03-21-2017 05:58 AM

Hi everyone. I would like to ask what is the function to get the number of records in a field?

So here's my scenario.

I use the search to get results below using transaction by username

|search *** transaction by username | table server_name, username, ipaddress

alt text

using the above results, i want to count the number of records in the ipaddress field and display the number of records but remove the field where ipaddress is less than 2 records.

I want this kind of output:

alt text

Thanks I hope someone can help me..

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-21-2017 10:41 AM

In your case you can use mvcount() function for conting occurrences of multi-valued field.

| eval no_of_multiple_con=mvcount(ipaddress)

However, I would try to move away from transaction to stats command

 <YourBaseSearch> | stats values(server_name) as server_name values(ipaddress) as ipaddress count(ipaddress) as no_of_multiple_con dc(ipaddress) as disctinctIPCount by username

PS: Since you have not included server_name as your transaction ID, I would expect multiple Server Names to be returned as well. Hence I have used values() function.
Also I have included dc() function for distinct count of IP Addresses in case the same gets repeated.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-21-2017 10:41 AM

In your case you can use mvcount() function for conting occurrences of multi-valued field.

| eval no_of_multiple_con=mvcount(ipaddress)

However, I would try to move away from transaction to stats command

 <YourBaseSearch> | stats values(server_name) as server_name values(ipaddress) as ipaddress count(ipaddress) as no_of_multiple_con dc(ipaddress) as disctinctIPCount by username

PS: Since you have not included server_name as your transaction ID, I would expect multiple Server Names to be returned as well. Hence I have used values() function.
Also I have included dc() function for distinct count of IP Addresses in case the same gets repeated.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

wiggler
Explorer
‎03-21-2017 04:48 PM

@niketnilay.. thanks a lot.. it works 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-21-2017 07:22 PM

@wiggler... Glad it worked. Hope you are using stats as it would perform better than transaction as you might have seen 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

wiggler
Explorer
‎03-21-2017 08:30 PM

@niketnilay yeah much better than transaction. thank you very much

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...