Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I count multi-value fields?

i111040d
New Member
‎03-07-2017 10:20 PM

My event(NOT table):

_time,id,eth_src,eth_dst
090000,1,u,v
090001,1,w,x
090002,1,y,z
090003,2,u,v
090004,2,w,x
090005,3,u,v
090006,4,u,v
090007,4,w,x

The table I want to create
([~] means multi-value field.):

route,count,sparkline(count)
[u>v,w>x,y>z],1,sparkline
[u>v,w>x],2,sparkline
[u>v],1,sparkline

How can I create the table?

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎03-09-2017 07:21 AM

Give this a try

Index=*
|eval route=src.">".dst
|stats last(_time) as _time values(route) as route by id delim=","
| nomv route
|stats count sparkline by route
0 Karma
Reply

DalJeanis
Legend
‎03-09-2017 07:16 AM

Take a look at the updated code on my post. I believe it is what you are looking for.

0 Karma
Reply

DalJeanis
Legend
‎03-08-2017 09:22 PM

This inputs your example data.

  | makeresults 
  | eval mydata="090000,1,u,v 090001,1,w,x 090002,1,y,z 090003,2,u,v 090004,2,w,x 090005,3,u,v 090006,4,u,v 090007,4,w,x" 
  | makemv mydata | mvexpand mydata | makemv delim="," mydata 
  | eval time=mvindex(mydata,0),id=mvindex(mydata,1),eth_src=mvindex(mydata,2),eth_dst=mvindex(mydata,3)
  | table time id eth_src eth_dst

This translates the data to the a>b format, strips the records to only the time, leg and id, then puts the legs together into a single multivalue field ("legs") by id. Then it uses mvjoin to create the requested format, and finally, produce the count of each route, with sparkline.

| eval leg = eth_src.">".eth_dst
| table time id leg
| eventstats min(time) as mintime, list(leg) as legs by id
| eval route = "[".mvjoin(legs,",")."]"
| where time=mintime
| eval _time = time
| eventstats count as routecount by route
| eval route=route.":".routecount
| table _time route routecount
| chart count sparkline by route

Resulting in 

route         count   sparkline
[u>v,w>x,y>z]    1    \____
[u>v,w>x]        2    _/\_/
[u>v]            1    __/\_
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-08-2017 01:18 AM

Hi i111040d,
I'm not sure about your need because I see in your example that you have the same values u>v in all the results, every way, try something like this:

 your_search
| eval route=case(eth_src="u" AND eth_dst="v", "[u>v]",eth_src="w" AND eth_dst="x", "[w>x]",eth_src="y" AND eth_dst="z", "[y>z]",............)
| stats sparkline count by route

Obviously, you have to build your eval by your needs.

Bye.
Giuseppe

0 Karma
Reply

i111040d
New Member
‎03-08-2017 05:36 PM

Hi, cusello.
Thanks for your answering.
But sorry my bad.
What I wanted is slightly different.
So I rewrite clarity.

Event:
_time=090000 id=1 src=w dst=x
_time=090001 id=1 src=y dst=z
_time=090002 id=2 src=w dst=x
_time=090003 id=3 src=w dst=x
_time=090004 id=3 src=y dst=z

First search:
Index=*
|eval route=src.">".dst
|stats last(_time) as _time values(route) as route by id

First result(table):
_time,id,route
090001,1,[w>x,y>z]
090002,2,w>x
090004,3,[w>x,y>z]

Next search:
|stats count sparkline by route

Ideal result(table):
route,count,sparkline
[w>x,y>z],2,sparkline
w>x,1,sparkline

Actual result(table):
route,count,sparkline(failed)
w>x,3,sparkline(failed)
y>z,2,sparkline(failed)

How can I get the "Ideal result"?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...