My logs contain application field which either have single value or multiple values.
I am using makemv command to delimit based on comma to separate applications when they are in multiple values as an array
but if an application for example [AML_PK2] is single in one log and is with many other applications in another log such as [AML_PK1, AML_PK2, AML_PK3] after counting for both results are like
AML_PK1 = 1
AML_PK2=1
AML_PK2 = 1
AML_PK3=1
How to combine results for aml_pk2 to show 2 counts?
My search query = index="app_web" |eval field1 = split(applications,"[") | eval field2 = split(field1,"]") | makemv delim="," field2 |search field2!=application/|search field2!=text/ |
top field2 by user countfield="No of Searches" showperc=False|rename field2 as "APPS"
... View more