Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use mvcount or mvexpand to separate multiple values from two different fields?

jwalzerpitt
Influencer
‎04-10-2018 01:13 PM

I have an index that contains two fields, sig_names and sig_ids, that can contain multiple values for each. I'd like to separate out the values to get a count for each.

Right now I do a generic stats count search of:

    index=foo
    | stats count by sig_names,sig_ids 
    | sort -count

and the results are as follows:

sig_names     sig_ids   count
foo1, foo2     1,2          18
foo6, foo8     6,8          16
foo4, foo3     4,3          4

Is it possible to separate the values out to get a count for each as such:

sig_names     sig_ids   count
foo1               1             18
foo2               2             18
foo6               6             16
foo8               8              8
foo4               4              4
foo3               3              4

Thx

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-10-2018 01:28 PM

I doesn't look like the fields sig_names are multivalued fields already. Try something like this

index=foo
| makemv sig_names delim="," | makemv sig_ids delim="," 
| eval temp=mvzip(sig_names, sig_ids,"###")
| stats count by temp
| rex field=temp "(?<sig_names>.+)###(?<sig_ids>.+)
| table sig_names sig_ids count

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎04-10-2018 01:30 PM

I had somewhat of a similar question over here: https://answers.splunk.com/answers/623015/question-involving-breaking-out-multiple-multivalu.html

Maybe that answer can help you split out the fields before you count them.

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎04-10-2018 01:41 PM

Thx for the link as that info and answer is very helpful as well

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-10-2018 01:28 PM

I doesn't look like the fields sig_names are multivalued fields already. Try something like this

index=foo
| makemv sig_names delim="," | makemv sig_ids delim="," 
| eval temp=mvzip(sig_names, sig_ids,"###")
| stats count by temp
| rex field=temp "(?<sig_names>.+)###(?<sig_ids>.+)
| table sig_names sig_ids count
0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎04-10-2018 01:41 PM

Thx - worked perfectly

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...