×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
hugh_lacey
New Member
Member since: ‎04-22-2020
‎11-18-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-22-2020
View All

Re: Efficiently counting the occurrences of a deli...

by in Splunk Search
‎04-23-2020 05:43 AM
‎04-23-2020 05:43 AM
Hi manjunathmeti, Thanks for the suggestion. Yes, the expected values for field "blocks" is known, currently there are 48 possible values. I tried your suggestion and ran it over 24 hours of data (~4 million events), the mvexpand approach was faster: mvexpand approach - 178.78 seconds foreach/eval approach - 222.54 seconds I'll need to run this search ad hoc over longer timer periods (30 - 90 days), hence the focus on performance. Thanks for the help. ... View more

Efficiently counting the occurrences of a delimite...

by in Splunk Search
‎04-22-2020 07:00 AM
‎04-22-2020 07:00 AM
In my event data, I have a field called "blocks", the content of that field is a comma separated list of blocks. For example: block_1,block_4,block_10 block_1,block_3,block_4 I want to be able to count the occurrence of the blocks over time. So from above example, I should get the following block_1 2 block_3 1 block_4 2 block_10 1 I have this working via the following, however it is very slow. <my search> | makemv delim="," blocks| mvexpand blocks| stats count by blocks Is there a more efficient way to do this? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-18-2020 07:34 AM