Solved: is it possible to get the sum of a multivalued fie...

vijai_thomas · ‎01-15-2014

Hi,
I want to count the number or errors within two keywords say starttran and endtran.
My log data would be like

starttran
tran Id:1000
error*
abc done
error*
endtran

My query : sourcetype="abc" | eval haserror=if(searchmatch("error"),1,0) | transaction startswith=starttran endswith=endtran mvlist=haserror | table haserror TRANID

O/P

haserror / TRANID
0
0 / 1000
1
0
1
0

But i want it like

haserror / TRANID
2 / 1000

I tried using sum(haserror) by TRANID but din't. Kindly help . Also here can't TRANID be used as unique ID ?

Thanks a lot

lguinn2 · ‎01-15-2014

sourcetype="abc" 
| eval haserror=if(searchmatch("error"),1,0) 
| transaction startswith=starttran endswith=endtran mvlist=haserror 
| eval ErrorCount = mvcount(mvfilter(haserror==1))
| table ErrorCount TRANID

should work

View solution in original post

lguinn2 · ‎01-15-2014

sourcetype="abc" 
| eval haserror=if(searchmatch("error"),1,0) 
| transaction startswith=starttran endswith=endtran mvlist=haserror 
| eval ErrorCount = mvcount(mvfilter(haserror==1))
| table ErrorCount TRANID

should work

vijai_thomas · ‎01-15-2014

This worked .. Thanks a lot 🙂

is it possible to get the sum of a multivalued field within a transaction without a unique id??

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases