Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats count conditional for multi field

corehan
Explorer
‎09-27-2021 12:18 AM

Hello dears,

I want to list my search if  "B" total count higher than >3 than list by "A"

A and B fields could have variable values, doesn't matter. 

search | stats count(B) by A,B |sort -A |where B>3

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 12:57 AM

Ahhh, so you want to do stats on simple events. You don't have multivalue fields. Multivalue field holds multiple values within a single event. It's not your case as far as I can see.

Your stats command is a bit too detailed. You just want to group by device, so that's the only field you should leave in the "by" clause. Then you can filter your results.

index=decoder M=NetworkMapDataInit C=GPONChecker OLT="*"
| eval Date=date_month." ".date_mday
| dedup H,U,S
| join H,U,S type=inner
  [search index=decoder M=WF_CrmRequestAndNetflowTask C=OVERLAY P=checkResult NetflowResultMsg1=NetflowTaskCreated
   | dedup H,U,S ]
| stats count as complaint_number list(Date) list(H) list(REQUESTNAME) by OLT
| where complaint_number >= 10

You could also try to lose that join in favour of some stats aggregation but it's another story.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2021 01:11 AM

Depends on what you mean by "multi-field". Do you want to just count separate occurences of B?

In this case it's just

search | stats count(B) by A | where count(B)>3 | sort - A

 If you want to count distinct values of B, it's not count but dc (distinctcount).

search | stats dc(B) by A | where dc(B)>3 | sort - A

 But if you have a multi-value field B and want to count items within the field,  you have to approach it differently

search | where mvcount(B)>3 | sort - A
0 Karma
Reply
Solved! Jump to solution

corehan
Explorer
‎09-27-2021 01:59 AM

Yes, i want to list , multi-value field B and want to count items within the field. Should i use stats command before ?

I try this but not works for me;

search | where mvcount(B)>3 | sort - A

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2021 02:16 AM

No. Stats command is for calculating stats pertaining to sets of events. as far as I can understand, you want to have a count of multivalued field entries per each event.

Try

search | eval mvc=mvcount(B)

And see if the mvc field is properly calculated.

Also, it usually helps if you provide us with a sample of your data so we know that we all have common understanding of what you want to achieve.

0 Karma
Reply
Solved! Jump to solution

corehan
Explorer
‎09-28-2021 12:39 AM

Thank you for answers. So, more details for this;

I have lot of network devices and subscribers. So, i want to analyse subscriber compliants. When the total subscriber compliants count reach to 10 number by each device, than list.

my field details;

OLT=Network devices

H = Subscriber IDs

REQUESTNAME = Subscriber compliant types

index=decoder M=NetworkMapDataInit C=GPONChecker OLT="*" | eval Date=date_month." ".date_mday | dedup H,U,S | join H,U,S type=inner [search index=decoder M=WF_CrmRequestAndNetflowTask C=OVERLAY P=checkResult NetflowResultMsg1=NetflowTaskCreated | dedup H,U,S ] | stats count by Date,OLT,H,REQUESTNAME

corehan_0-1632814695207.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 12:57 AM

Ahhh, so you want to do stats on simple events. You don't have multivalue fields. Multivalue field holds multiple values within a single event. It's not your case as far as I can see.

Your stats command is a bit too detailed. You just want to group by device, so that's the only field you should leave in the "by" clause. Then you can filter your results.

index=decoder M=NetworkMapDataInit C=GPONChecker OLT="*"
| eval Date=date_month." ".date_mday
| dedup H,U,S
| join H,U,S type=inner
  [search index=decoder M=WF_CrmRequestAndNetflowTask C=OVERLAY P=checkResult NetflowResultMsg1=NetflowTaskCreated
   | dedup H,U,S ]
| stats count as complaint_number list(Date) list(H) list(REQUESTNAME) by OLT
| where complaint_number >= 10

You could also try to lose that join in favour of some stats aggregation but it's another story.

0 Karma
Reply
Solved! Jump to solution

corehan
Explorer
‎09-28-2021 01:10 AM

you are amazing, works fine. Thank you very much

 

I love splunk community..

0 Karma
Reply
Solved! Jump to solution

corehan
Explorer
‎09-27-2021 12:28 AM

now i'm trying something like this;

 

search | stats count(B) by A,B |sort -A |where sum(count(B))>3

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top