Help in query to count the total of the same colou...

vrmandadi · ‎03-15-2016

Hello Experts,

How to calculate the count of the events based on the value of a particular field

example:

                                                                     ....  | stats count by  URL

           URL                                                  COUNT

        JSON_DB_1/%231                                  100
         JSONPayingBank/%231                         80
        /RTDC/RTDC/RTDC/RTDC%231             50

the data has all combination of the url,like some have
1) JSON_DB_1/%231 and JSONPayingBank/%231
2) JSON_DB_1/%231 and /RTDC/RTDC/RTDC/RTDC%231

3) ALL three
the JSON_DB_1/%231 is common for all,but i want to count of urls with JSON_DB_1/%231 and JSONPayingBank/%231 and name it as Paying bank..

somesoni2 · ‎03-15-2016

Try something like this

your base search | eval URL=mvfilter(NOT match(URL,"JSON_DB_1")) | stats count by URL

This will eliminate the common URL value JSON_DB_1/%231 and will give count of events for other two URL values.

vrmandadi · ‎03-15-2016

I have tried your query and other possible match patterns but it throwing me the following error

Error in 'eval' command: The expression is malformed. Expected ).

somesoni2 · ‎03-15-2016

This should've worked. Can you post the query you tried?

somesoni2 · ‎03-15-2016

So you have field URL which is multivalued field for each event?

vrmandadi · ‎03-15-2016

Yes Somesoni

vrmandadi · ‎03-15-2016

each event has a combination of these urls and JSON_DB_1/%231 is common in all events

Help in query to count the total of the same coloumn ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life