Solved: how to count commas in a filed and display as tabl...

sivaram520 · ‎02-28-2017

I am new to splunk , can some one please help me on below case

my log looks like this
Name="ABCD"
Config Name="XYZ"
dates="2017-01-01,2017-01-02,2017-01-03,2017-01-05,2017-01-07"
missing_dates="2017-01-04,2017-01-06"
Msg="SUCCESS" or "FAIL"

I need to count number of missing dates and display in table table format with below headers only for SUCCESS Msg

Name Config count_of_missing_dates Msg

richgalloway · ‎02-28-2017

Assuming you already have the fields extracted, try this.

... | eval count_of_missing_dates = mvcount(split(missing_dates, ",")) | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-28-2017

Assuming you already have the fields extracted, try this.

... | eval count_of_missing_dates = mvcount(split(missing_dates, ",")) | ...

---
If this reply helps you, Karma would be appreciated.

DalJeanis · ‎02-28-2017

Or, to be more verbose...

your base search 
| where Msg="SUCCESS" 
| eval count_of_missing_dates = mvcount(split(missing_dates, ",")) 
| table Name Config count_of_missing_dates Msg

sivaram520 · ‎03-05-2017

Thank you very much 🙂 it's worked

how to count commas in a filed and display as table

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life