Solved: Re: How to search the count of a field's values in...

heming277 · ‎04-13-2016

Hi,

I have a serious problem. I'm trying to get the counts of all the values for a field in a comma delimited list, but seems Splunk only picks up the first value, so I cannot use stats count by Fieldname to show it directly.

Part of the search is this:

&fieldA=a,b,c,d&fieldB=a,b,c,d HTTP/1.1" 200

How do I get all the counts for a, b, c, d and output the count in a table?

For example:

Field A

a 20
b 22
c 23
d 24

Please suggest a search, thanks.

somesoni2 · ‎04-13-2016

Try like this (assuming the field names are fixed, e.g. fieldA fieldB etc.)

your base search | rex field=_raw "fieldA=(?<fieldA>[^&\s]+)" | makemv fieldA delim="," | stats count by fieldA

View solution in original post

somesoni2 · ‎04-13-2016

Try like this (assuming the field names are fixed, e.g. fieldA fieldB etc.)

your base search | rex field=_raw "fieldA=(?<fieldA>[^&\s]+)" | makemv fieldA delim="," | stats count by fieldA

heming277 · ‎04-13-2016

thank you! it seems to work

How to search the count of a field's values in a comma delimited list and display it as a table?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...