How to calculate the number of different eventtype...

tony_alibelli · ‎11-04-2014

Hi All

this is my data on one transaction

Nov 4 13:55:51 10.236.33.22 Nov 4 13:55:51 LPD-ZF5-001 notice tmm3[19702]: 01490505:5: decbdf41: RD: Connect to 10.148.2.142 port 2598 err ERR_OK 
Nov 4 14:51:20 10.236.33.22 Nov 4 14:51:20 LPD-ZF5-001 notice tmm[19699]: 01490505:5: decbdf41: RD: Connect to 10.148.2.142 port 2598 err ERR_OK 
Nov 4 14:51:33 10.236.33.22 Nov 4 14:51:33 LPD-ZF5-001 notice tmm2[19701]: 01490505:5: decbdf41: RD: Connect to 10.148.2.142 port 2598 err ERR_OK 
Nov 4 15:29:17 10.236.33.22 Nov 4 15:29:17 LPD-ZF5-001 notice tmm3[19702]: 01490505:5: decbdf41: RD: Connect to 10.148.2.142 port 2598 err ERR_OK 
Nov 4 15:29:26 10.236.33.22 Nov 4 15:29:26 LPD-ZF5-001 notice tmm[19699]: 01490505:5: decbdf41: RD: Connect to 10.148.2.142 port 2598 err ERR_OK 
Nov 4 15:29:33 10.236.33.22 Nov 4 15:29:33 LPD-ZF5-001 notice tmm2[19701]: 01490505:5: decbdf41: RD: Connect to 10.148.2.142 port 2598 err ERR_OK

i defined eventtype who match each line and when i try to calculate the occurrence of the eventtype i have always 1

So how calculate the occurrence of this eventtype ?

Regards

Tony

martin_mueller · ‎11-04-2014

By default the transaction command calculates multivalue fields as distinct values only. You can set mvlist=eventtype though to disable this behaviour for that field.

tony_alibelli · ‎11-04-2014

Hi
i would like calcule the number of each eventtype by this transaction
Regards

martin_mueller · ‎11-04-2014

Are you looking for the number of different eventtypes or the event count per eventtype?

How to calculate the number of different eventtypes in a transaction?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!