Count all values in mv field, based on other value...

Rialf1959 · ‎10-27-2017

Hello,
I need to:

Count all values from mv field: blkio_stats.io_serviced_recursive{}.value where blkio_stats.io_serviced_recursive{}.op = write

Sample data:
https://pastebin.com/7fKSwztE

Thanks for help

niketn · ‎10-27-2017

@Rialf1959, please try the following using mvzip() function which should work as far as within multi-valued fields op and value there is one to one relationship. In other words mvcount()of op field should match with value field.

<YourBaseSearch>
| fields blkio_stats.io_serviced_recursive{}.op blkio_stats.io_serviced_recursive{}.value
| eval data=mvzip('blkio_stats.io_serviced_recursive{}.op','blkio_stats.io_serviced_recursive{}.value',";")
| table data
| mvexpand data
| search data="Write*"
| eval data=split(data,";")
| eval op=mvindex(data,0)
| eval value=mvindex(data,1)
| table op value

Refer to Splunk documentation for various Multi-value evaluation functions: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Count all values in mv field, based on other value from mv field

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!