count by amount of listed events of one field insi...

dirkbaumann · ‎05-14-2013

Hi,
I want to count how often a Specific field let's call it x is inside a file.
The reason is to follow the flow.
Therefore i use the transaction function to have one file per flow.

Afterwards the file is for example like:

x=a y=yxd z=asdfa x=b x=c

I want now count how often x is in the file and when x is more then once in a file i want to see the results behind the x=

neilamoran · ‎05-14-2013

| chart values(x) by file

...might do it.

dirkbaumann · ‎05-14-2013

Thank's for that answer but this is just part of the answer after having that i want to see all the parts in detail where x is more than once in a file

stats values(x) As variable by ID| stats count(variable) As VARIABLE by ID | where VARIABLE> 1

After that I wanted to make the values(x) command to see the results but it won't show me the different x versions per ID
The question is how can I see in the results table the different x=... x=... versions

kristian_kolb · ‎05-14-2013

Just make sure that the 'file' is actually a single file, if that is your requirement. Normally, events are not really seen as part of a particular file, unless the application creating the file has some naming scheme, e.g. app_log-yyyy-mm-dd.log. That file name would then be found in the source field.

count by amount of listed events of one field inside a filed

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life