Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count how many "200" codes are in my results, when using the mvjoin function?

Abarny
Path Finder
‎02-27-2017 05:41 AM

Hi guys can you tell me how i can count how many code 200 I have when i have do a mvjoin? I try with this search but it is not okay :

|stats list(ACR) as ACResponse by OCId 
|eval X=mvjoin(ACResponse,";") 
| search list(ACR)="*200*"
| stats count  list(ACR) by OCId

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-27-2017 07:13 AM

Depends on what you want the output to look like. This first part generates your test data, to the point of your first line:

| makeresults 
| eval mydata="200,487 487,487,487,487 200 603,487,487,487,200 200"
| makemv mydata 
| mvexpand mydata 
| makemv delim="," mydata
| rename mydata as ACResponse
| streamstats count as OCId
| table _time OCId ACResponse

This part eliminates the records that do not include a 200 - 

| search ACResponse=200

You could just do a stats count there, but since you seem to want to see the records, this part will collapse them and zip them together, then give you the count and list.

| eval ACResponse=mvjoin(ACResponse,";")
| eval OCId=mvzip(OCId,ACResponse,"::") 
| stats count list(OCId) as OCId

Resulting in this output

count  OCId
  4     1::200;487
        3::200
        4::603;487;487;487;200
        5::200

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-27-2017 07:13 AM

Depends on what you want the output to look like. This first part generates your test data, to the point of your first line:

| makeresults 
| eval mydata="200,487 487,487,487,487 200 603,487,487,487,200 200"
| makemv mydata 
| mvexpand mydata 
| makemv delim="," mydata
| rename mydata as ACResponse
| streamstats count as OCId
| table _time OCId ACResponse

This part eliminates the records that do not include a 200 - 

| search ACResponse=200

You could just do a stats count there, but since you seem to want to see the records, this part will collapse them and zip them together, then give you the count and list.

| eval ACResponse=mvjoin(ACResponse,";")
| eval OCId=mvzip(OCId,ACResponse,"::") 
| stats count list(OCId) as OCId

Resulting in this output

count  OCId
  4     1::200;487
        3::200
        4::603;487;487;487;200
        5::200
Reply
Solved! Jump to solution

Abarny
Path Finder
‎02-27-2017 08:20 AM

I have just an other question, do you know how i can to do an average enter the max JourP and number where I have the ACResponse 200
(Ex: Moyen= AppelID/max(JourP) where AppelId is 3 and JourP is 5)

I do that :

|table OCId ACResponse date_wday
| stats dc(date_wday) as JourP count(ACResponse) as AppelD by ACResponse
| table JourP,AppelD,ACResponse

alt text

Thanks for your help !!

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-27-2017 11:02 AM

That's a completely new question, so it's best to post it into the forum as such.

However, here's the answer, this time.

| table OCId ACResponse date_wday
| stats dc(date_wday) as JourP, count as AppelD by ACResponse 
| table JourP,AppelD,ACResponse
| eval Moyen= AppelID/JourP

That gets you the average number of events per day with any particular ACResponse, if I read it correctly. The following would give you the average of events per day with any particular ACResponse, across the entire period, assuming that at least one kind of ACResponse could be assured of happening every day. Use this code if (A) you know that one particular code will happen at least once every workday, and (B) there are non-workdays in the period in question that you don't want to diminish the average.

| table OCId ACResponse date_wday
| stats dc(date_wday) as JourP, count as AppelD by ACResponse 
| table JourP,AppelD,ACResponse
| eventstats max(JourP) as maxJourP
| eval Moyen=AppelID/maxJourP

More often, you will have a situation where you can't be sure that one ACResponse would be certain to happen every workday, and there are no days you want to exclude when calculating the average. Then you'd do something like this - 

| table OCId ACResponse date_wday
| stats min(date_wday) as mindate, max(date_wday) as maxdate, dc(date_wday) as JourP1, count as AppelD by ACResponse 
| eventstats min(mindate) as mindate, max(maxdate) as maxdate
| eval  JourP2=round((maxdate-mindate)/86400,0)
| eval Moyen1= AppelID/JourP  
| eval Moyen2= AppelID/JourP2
| table ACResponse, AppelD, JourP1, Moyen1, JourP2, Moyen2

You can look at both the answers that come out of this and determine for yourself which one is more reasonable to your data.

0 Karma
Reply
Solved! Jump to solution

Abarny
Path Finder
‎02-28-2017 12:47 AM

Thanks for your help !

0 Karma
Reply
Solved! Jump to solution

Abarny
Path Finder
‎02-27-2017 07:57 AM

Thanks, your last solution is exactly what i wanted.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-27-2017 08:08 AM

You're welcome! Feel free to change the "::" delimiter to anything you like, it just seemed readable to me.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...