Splunk Search

count by amount of listed events of one field inside a filed

dirkbaumann
Explorer

Hi,
I want to count how often a Specific field let's call it x is inside a file.
The reason is to follow the flow.
Therefore i use the transaction function to have one file per flow.

Afterwards the file is for example like:

x=a y=yxd z=asdfa x=b x=c

I want now count how often x is in the file and when x is more then once in a file i want to see the results behind the x=

Tags (1)
0 Karma

neilamoran
Explorer
| chart values(x) by file

...might do it.

dirkbaumann
Explorer

Thank's for that answer but this is just part of the answer after having that i want to see all the parts in detail where x is more than once in a file

stats values(x) As variable by ID| stats count(variable) As VARIABLE by ID | where VARIABLE> 1

After that I wanted to make the values(x) command to see the results but it won't show me the different x versions per ID
The question is how can I see in the results table the different x=... x=... versions

0 Karma

kristian_kolb
Ultra Champion

Just make sure that the 'file' is actually a single file, if that is your requirement. Normally, events are not really seen as part of a particular file, unless the application creating the file has some naming scheme, e.g. app_log-yyyy-mm-dd.log. That file name would then be found in the source field.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...