Count number of times a field appears in a single ...

the_wolverine · ‎02-28-2013

I have an event which contains many instances of the same field. Additionally the field is multi-valued. How can I count the instances of this field within an event (by value)?

Example (this is a single event):

"Line" = (
  {
    "supplier" = "ABCDEFG";
    "errorCode" = "0";
    "otherItem" = "GFY";
    "quantity" = "1";
    "Number" = "sfldksfjkdsfjklsdfklsfjskdlfjdklfjklsdfjkds";
    "magicID" = "thisisthesame";
    };
  },
  {
    "supplier" = "WZBFK";
    "errorCode" = "0";
    "otherItem" = "GFY";
    "quantity" = "1";
    "Number" = "slgkfhortirtiroetiroeptieprtoeritorpetreo";
    "magicID" = "thisisthesame";
    };
  },
  {
    "supplier" = "TYIIRE";
    "errorCode" = "0";
    "otherItem" = "GFY";
    "quantity" = "3";
    "Number" = "mnssdoerptimgmfdgdfgdfeo";
    "magicID" = "thisisthesame";
    };
  },

sideview · ‎03-01-2013

This doesn't seem to be a fabulous answer, but one way is to actually split the eventtext into a multivalue field, mvexpand on that field, while using streamstats to keep track of which of the expanded rows came from which of the original events.

Because there are newlines you might have to use some "\n" here, I'm not sure. This seems to work here on your raw text doing some quick tests but ymmv.

| streamstats count as eventIndex | eval mvRaw=split(_raw,"},

{") | mvexpand foo

From there, the drawback is you'd have to re-extract your field values with rex or json commands as appropriate, but once you did that you could do stats dc(supplier) dc(errorCode) by eventIndex

martin_mueller · ‎02-28-2013

Got an example?

Count number of times a field appears in a single event?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM