- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to count the number of times a fiel...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to get the number of times a Field occurs within an event?
I've read posts on how to arrive at unique values of a Field using mvcount. In my case however I have custom logging that includes the same field=value across multiple lines. I'm trying to find a way of counting the number of times this Field occurs within the transaction, so that I can afterwards filter, perhaps with a where clause, based on that that count.
Example logging:
(1)
RequestId=123 RequestType=A
RequestId=123 Consolidate=True
RequestId=123 RequestType=A
RequestId=123 Consolidate=True
(2)
RequestId=456 RequestType=A
RequestId=456 RequestType=A
RequestId=456 Consolidate=True
I'm trying to arrive at a search that can build a transaction with RequestId where the count (number of occurrences of Consolidate) is 2. So the search would return the transaction with RequestId 123 but not 456. Hoping this makes sense.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try:
...|eventstats count(eval(match(Consolidate,"True"))) as ConsolidateTrue|search ConsolidateTrue=2
you could add another count if you want False, also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this to the end of your search:
| rex max_match=0 "(?<mvc>RequestId=123 Consolidate=True)" | where mvcount(mvc) > 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try:
...|eventstats count(eval(match(Consolidate,"True"))) as ConsolidateTrue|search ConsolidateTrue=2
you could add another count if you want False, also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you cmerriman.
eventstats is gathering the total count of Consolidate=True across all events. Is it possible to get the count by individual transaction? Using the logging example, this search.....
index=myindex | transaction RequestId | eventstats count(eval(match(Consolidate,"True"))) as ConsolidateTrue| table RequestId ConsolidateTrue
returns
RequestId ConsolidateTrue
123 3
456 3
I'm trying to find a way of identifying RequestId 123 has 2 Consolidate fields, and 456 only has 1 (so that I can filter this event out)
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry, try adding by RequestId in the eventstats.
index=myindex | transaction RequestId | eventstats count(eval(match(Consolidate,"True"))) as ConsolidateTrue by RequestId| table RequestId ConsolidateTrue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you very much! That was the missing piece, plus I had to move the eventstats prior to the transaction clause. I suppose given the same field=value, when in the context of the transaction it is seen as 1 occurrence of Consolidate in the event.
final query:
index=myindex | eventstats count(eval(match(Consolidate,"True"))) as ConsolidateTrue by RequestId| transaction RequestId | table RequestId ConsolidateTrue
results in
RequestId ConsolidateTrue
123 2
456 1
thank you for the assist cmerriman!!!
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
