Solved: Re: Get counts of more than one field in same even...

tnkoehn · ‎02-22-2013

Let's say I have log records that look like this

Field 1     Field 2
ABC         XYZ
ABC         KLM
XYZ         ABC         
ABC         XYZ
KLM         KLM

I want to get the number of ABCs and also the number XYZs regardless of what field they're in, and ignore anything else. So results would look like this:

Value     Count
ABC       4
XYZ       3

My current search is below, but it won't total correctly if field1 AND field2 both have an ABC or XYZ.

search * 
| eval value=case(match(field1,"^[ABC|XYZ]",field1,match(field2,"^[ABC|XYZ]",field2)
|count by value

It's probably incredibly easy, but I can't figure it out.

martin_mueller · ‎02-22-2013

You could create four individual counts like this

...  | stats count(eval(f1=="ABC")) as abc_1 count(eval(f2=="ABC")) as abc_2 count(eval(f1=="XYZ")) as xyz_1 count(eval(f2=="XYZ")) as xyz_2

and then add each pair together to get your two counts.

View solution in original post

martin_mueller · ‎02-22-2013

You could create four individual counts like this

...  | stats count(eval(f1=="ABC")) as abc_1 count(eval(f2=="ABC")) as abc_2 count(eval(f1=="XYZ")) as xyz_1 count(eval(f2=="XYZ")) as xyz_2

and then add each pair together to get your two counts.

Get counts of more than one field in same event

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...