Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find events which have a certain field which occurs more than once?

jesabs
Engager
‎08-03-2016 03:22 PM

I have some events which have a field which is named variable. So the event will be like..

field1="a" field2="b" variable="1" field3="d" variable="2" field4="f" variable="3"

Sometimes the variable field shows up 0 times, sometimes 1 time, and sometimes multiple times in an event. I have been trying to come up with a search that can return only the events which have it multiple times.

I do not care about the value of the variable field. I just want to find when the field is in an event more than once. Could anyone help me out?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-03-2016 03:40 PM

If the name of the field will always be "variable", you could try this

your base search | where mvcount(variable)>1 | ...

IIf the field has not been extracted, try this

your base search | rex max_match=0 "variable=\"(?<variable>\d+)\"" |  where mvcount(variable)>1

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎08-03-2016 03:40 PM

If the name of the field will always be "variable", you could try this

your base search | where mvcount(variable)>1 | ...

IIf the field has not been extracted, try this

your base search | rex max_match=0 "variable=\"(?<variable>\d+)\"" |  where mvcount(variable)>1
Reply
Solved! Jump to solution

jesabs
Engager
‎08-04-2016 12:20 PM

The second one worked. The first one did not work, it would always report 0 or 1. I think because only the first occurrence of a field is recognized if you have MV_ADD set to false in the splunk config. Having the rex overcomes this.

Thanks you!

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...