Solved: How to get the count of unique values for a field ...

Aaron_Fogarty · ‎04-25-2016

I have a field named Visit that can have several vales: "Order Entry", "Order Reference" and 5 others. I want to count every Visit per event only once per value.

What I mean by this is that in Example one, the Visit count for this event will be only 1
and in Example two, the Visit count for the event will be 2.

Event Example one:

Client - User:123 - Visit="Order Entry" - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - New selection begin  - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - New selection begin  - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - Loading selection begin  - Apr 25, 2016, 9:34:58 AM EDT
Client - User:123 - Visit="Order Entry" - Apr 25, 2016, 9:34:58 AM EDT

Event Example two:

Client - User:456 - Visit="Order Entry" - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - New order begin  - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - Visit="Order Reference" - Apr 25, 2016, 6:46:22 AM EDT
Client - User:456 - Successful login.  Failed login attempts 0.

Thank you.

javiergn · ‎04-25-2016

Hi,

If your events are separated as you described above, you can try this:

your search here
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw

Example 1:

| stats count
| eval _raw = "
 Client - User:123 - Visit=\"Order Entry\" - Apr 25, 2016, 9:34:58 AM EDT
 Client - User:123 - New selection begin  - Apr 25, 2016, 9:34:58 AM EDT
 Client - User:123 - New selection begin  - Apr 25, 2016, 9:34:58 AM EDT
 Client - User:123 - Loading selection begin  - Apr 25, 2016, 9:34:58 AM EDT
 Client - User:123 - Visit=\"Order Entry\" - Apr 25, 2016, 9:34:58 AM EDT
"
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw

# visit_counts = 1

Example 2:

| stats count
| eval _raw = "
 Client - User:456 - Visit=\"Order Entry\" - Apr 25, 2016, 6:46:22 AM EDT
 Client - User:456 - New order begin  - Apr 25, 2016, 6:46:22 AM EDT
 Client - User:456 - Visit=\"Order Reference\" - Apr 25, 2016, 6:46:22 AM EDT
 Client - User:456 - Successful login.  Failed login attempts 0.
"
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw


# visit_counts = 2

View solution in original post

javiergn · ‎04-25-2016

Hi,

If your events are separated as you described above, you can try this:

your search here
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw

Example 1:

| stats count
| eval _raw = "
 Client - User:123 - Visit=\"Order Entry\" - Apr 25, 2016, 9:34:58 AM EDT
 Client - User:123 - New selection begin  - Apr 25, 2016, 9:34:58 AM EDT
 Client - User:123 - New selection begin  - Apr 25, 2016, 9:34:58 AM EDT
 Client - User:123 - Loading selection begin  - Apr 25, 2016, 9:34:58 AM EDT
 Client - User:123 - Visit=\"Order Entry\" - Apr 25, 2016, 9:34:58 AM EDT
"
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw

# visit_counts = 1

Example 2:

| stats count
| eval _raw = "
 Client - User:456 - Visit=\"Order Entry\" - Apr 25, 2016, 6:46:22 AM EDT
 Client - User:456 - New order begin  - Apr 25, 2016, 6:46:22 AM EDT
 Client - User:456 - Visit=\"Order Reference\" - Apr 25, 2016, 6:46:22 AM EDT
 Client - User:456 - Successful login.  Failed login attempts 0.
"
| rex max_match=0 "Visit=(?<visits>\"[^\"]+\")"
| mvexpand visits
| stats values(visits) as visits dc(visits) as visit_counts by _raw


# visit_counts = 2

Aaron_Fogarty · ‎04-26-2016

That is perfect javiergn. Exactly what I was looking to do. Cheers.

How to get the count of unique values for a field per event?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life