Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats count conditional for multi field

corehan
Explorer
‎09-27-2021 12:18 AM

Hello dears,

I want to list my search if  "B" total count higher than >3 than list by "A"

A and B fields could have variable values, doesn't matter. 

search | stats count(B) by A,B |sort -A |where B>3

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 12:57 AM

Ahhh, so you want to do stats on simple events. You don't have multivalue fields. Multivalue field holds multiple values within a single event. It's not your case as far as I can see.

Your stats command is a bit too detailed. You just want to group by device, so that's the only field you should leave in the "by" clause. Then you can filter your results.

index=decoder M=NetworkMapDataInit C=GPONChecker OLT="*"
| eval Date=date_month." ".date_mday
| dedup H,U,S
| join H,U,S type=inner
  [search index=decoder M=WF_CrmRequestAndNetflowTask C=OVERLAY P=checkResult NetflowResultMsg1=NetflowTaskCreated
   | dedup H,U,S ]
| stats count as complaint_number list(Date) list(H) list(REQUESTNAME) by OLT
| where complaint_number >= 10

You could also try to lose that join in favour of some stats aggregation but it's another story.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2021 01:11 AM

Depends on what you mean by "multi-field". Do you want to just count separate occurences of B?

In this case it's just

search | stats count(B) by A | where count(B)>3 | sort - A

 If you want to count distinct values of B, it's not count but dc (distinctcount).

search | stats dc(B) by A | where dc(B)>3 | sort - A

 But if you have a multi-value field B and want to count items within the field,  you have to approach it differently

search | where mvcount(B)>3 | sort - A
0 Karma
Reply
Solved! Jump to solution

corehan
Explorer
‎09-27-2021 01:59 AM

Yes, i want to list , multi-value field B and want to count items within the field. Should i use stats command before ?

I try this but not works for me;

search | where mvcount(B)>3 | sort - A

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2021 02:16 AM

No. Stats command is for calculating stats pertaining to sets of events. as far as I can understand, you want to have a count of multivalued field entries per each event.

Try

search | eval mvc=mvcount(B)

And see if the mvc field is properly calculated.

Also, it usually helps if you provide us with a sample of your data so we know that we all have common understanding of what you want to achieve.

0 Karma
Reply
Solved! Jump to solution

corehan
Explorer
‎09-28-2021 12:39 AM

Thank you for answers. So, more details for this;

I have lot of network devices and subscribers. So, i want to analyse subscriber compliants. When the total subscriber compliants count reach to 10 number by each device, than list.

my field details;

OLT=Network devices

H = Subscriber IDs

REQUESTNAME = Subscriber compliant types

index=decoder M=NetworkMapDataInit C=GPONChecker OLT="*" | eval Date=date_month." ".date_mday | dedup H,U,S | join H,U,S type=inner [search index=decoder M=WF_CrmRequestAndNetflowTask C=OVERLAY P=checkResult NetflowResultMsg1=NetflowTaskCreated | dedup H,U,S ] | stats count by Date,OLT,H,REQUESTNAME

corehan_0-1632814695207.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-28-2021 12:57 AM

Ahhh, so you want to do stats on simple events. You don't have multivalue fields. Multivalue field holds multiple values within a single event. It's not your case as far as I can see.

Your stats command is a bit too detailed. You just want to group by device, so that's the only field you should leave in the "by" clause. Then you can filter your results.

index=decoder M=NetworkMapDataInit C=GPONChecker OLT="*"
| eval Date=date_month." ".date_mday
| dedup H,U,S
| join H,U,S type=inner
  [search index=decoder M=WF_CrmRequestAndNetflowTask C=OVERLAY P=checkResult NetflowResultMsg1=NetflowTaskCreated
   | dedup H,U,S ]
| stats count as complaint_number list(Date) list(H) list(REQUESTNAME) by OLT
| where complaint_number >= 10

You could also try to lose that join in favour of some stats aggregation but it's another story.

0 Karma
Reply
Solved! Jump to solution

corehan
Explorer
‎09-28-2021 01:10 AM

you are amazing, works fine. Thank you very much

 

I love splunk community..

0 Karma
Reply
Solved! Jump to solution

corehan
Explorer
‎09-27-2021 12:28 AM

now i'm trying something like this;

 

search | stats count(B) by A,B |sort -A |where sum(count(B))>3

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...