Solved: How to find events which have a certain field whic...

jesabs · ‎08-03-2016

I have some events which have a field which is named variable. So the event will be like..

field1="a" field2="b" variable="1" field3="d" variable="2" field4="f" variable="3"

Sometimes the variable field shows up 0 times, sometimes 1 time, and sometimes multiple times in an event. I have been trying to come up with a search that can return only the events which have it multiple times.

I do not care about the value of the variable field. I just want to find when the field is in an event more than once. Could anyone help me out?

sundareshr · ‎08-03-2016

If the name of the field will always be "variable", you could try this

your base search | where mvcount(variable)>1 | ...

IIf the field has not been extracted, try this

your base search | rex max_match=0 "variable=\"(?<variable>\d+)\"" |  where mvcount(variable)>1

View solution in original post

sundareshr · ‎08-03-2016

If the name of the field will always be "variable", you could try this

your base search | where mvcount(variable)>1 | ...

IIf the field has not been extracted, try this

your base search | rex max_match=0 "variable=\"(?<variable>\d+)\"" |  where mvcount(variable)>1

jesabs · ‎08-04-2016

The second one worked. The first one did not work, it would always report 0 or 1. I think because only the first occurrence of a field is recognized if you have MV_ADD set to false in the splunk config. Having the rex overcomes this.

Thanks you!

How to find events which have a certain field which occurs more than once?

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success