I believe you accepted the wrong answer 😆

Thanks. I am glad you got a solution.

This worked perfect!!! Sorry for delayed response.

Works Perfect!

Try this:

| inputlookup dojo_dev [| noop | stats count as fields | eval fields = "netq bmc ehlth netdoc hpnnm splunk trident" | eval values = "None" | makemv fields | makemv values | mvexpand fields | mvexpand values | eval {fields} = values | fields - fields values | format "| eval fieldsWithValueCount=" "if((" "OR" "),1,0)" "+" ""] | fields values fieldsWithValueCount

To understand what it is doing, remove everything before [ and after ] including the brackets themselves.

That gives me all the fields for all the records...it doesn't calculate the number of time a value is list.

example: field1=Blue and field2=Red and field3=Blue....how many times was blue used....2 times.

Sorry if I sound like a smart ass not trying to be. I am just trying to explain the best I can 🙂

Here is the full code I am using (with all fields), what it is giving me (I would do a screenshot but it is only letting me do a comment instead of answer) is a table layout with all fields across top, a line for each record and then value for each field in each record. Which is fine but I am trying dwindle it down to a single field with the total number of times "Black" was used. This will go into a Single Digit Dashboard. What you think?

| inputlookup dojo_dev [| noop | stats count as fields | eval fields = "netq bmc ehlth netdoc hpnnm splunk trident aternity ngenius sniffer airwave vidconf brocade rivrbd clrpass dns dhcp cisco ciscoworks bna asafwalls paltoaltofwalls xnet certadmin bluecat ldbalf5 webservx150 raisedflrserv" | eval values = "Black" | makemv fields | makemv values | mvexpand fields | mvexpand values | eval {fields} = values | format "| eval fieldsWithValueCount=" "if((" "OR" "),1,0)" "+" ""]

The answer should be in the field fieldsWithValueCount because this subsearch part...:

| noop | stats count as fields | eval fields = "netq bmc ehlth netdoc hpnnm splunk trident" | eval values = "None" | makemv fields | makemv values | mvexpand fields | mvexpand values | eval {fields} = values | fields - fields values | format "| eval fieldsWithValueCount=" "if((" "" "),1,0)" "+" ""

...evaluates into this search clause...:

| eval fieldsWithValueCount= if(( netq="None" ),1,0) + if(( bmc="None" ),1,0) + if(( ehlth="None" ),1,0) + if(( netdoc="None" ),1,0) + if(( hpnnm="None" ),1,0) + if(( splunk="None" ),1,0) + if(( trident="None" ),1,0)

...and that is the part that does the calculation. If you put this into a macro then you can call it programatically like this:

... | `countFieldsWithValues("netq bmc ehlth netdoc hpnnm splunk trident", "None", fieldsWithValueCount)`

The images below show you the 2 views that I get. Like I said it is only show if the field has a certain value not how many time the value appears.

Thanks

Thanks worked great, had to tweak to fit my needs but it laid the groundwork that I was trying to figure out all afternoon.

Here is what I used:

• | stats count as fields | eval fields = "netq, bmc, ehlth, netdoc, hpnnm, splunk, trident" | eval values = "None" | makemv fields | makemv values | mvexpand fields | mvexpand values | eval {fields} = values | fields - fields values | stats count

Follow up: after further testing this morning this gives me the fields that have a certain value BUT not the total number of times the value is used.....example...the value of field1=red but there might be 20 record where field1=red but only getting the one entry that just confirming that the field has AT LEAST one red value.