Spread our blog

Usage of Splunk EVAL Function : MVCOUNT

Usage of Splunk EVAL Function : MVCOUNT

  • This function takes single argument ( X ).
  • So argument may be any multi-value field or any single value field.
  • If X is a multi-value field, it returns the count of all values within the field.
  • If X is a single value-field , it returns count 1 as a result.
  • If field has no values , it will return NULL.

Find below the skeleton of the usage of the function “mvcount” with EVAL :

….. | eval NEW_FIELD=mvcount(X )

Example 1:

For multi-value field:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status
| eval New_Field=mvcount(status)

Result:

mvcount

Explanation:

In the above query status is an existing field in _internal index and sourcetype name is splunkd_ui_access. Using values function with stats command we have created a multi-value field. Now status field becomes a multi-value field. At last we have used mvcount function to compute the count of values in status field and store the result in a new field called New_Field. As you can see in image in status field 6 values are coming so the result will show 6 in New_Field.

************************************************************************************

Example 2:

For single-value field :

index=_internal sourcetype=splunkd_ui_access
| table status
| dedup status
| eval New_Field=mvcount(status)

Result:

mvcount1

Explanation:

In the above query status is an existing field in _internal index and sourcetype name is splunkd_ui_access. By table command we have taken the values of status field in a tabular format and by the dedup command we have removes duplicate values from the result set. At last we have used mvcount function to compute the count of values in status field and store the result in a new field called New_Field. As status is a single-value field so it will return 1 every time as a result.

Now you can effectively utilize “mvcount” function with “eval” command to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk EVAL Function : MVCOUNT

HAPPY SPLUNKING !!

What’s your Reaction?
+1
+1
+1
3
+1
2
+1
+1
+1

Spread our blog
Previous articleUsage of Splunk EVAL Function : MVAPPEND
Next articleUsage of Splunk EVAL Function : MVZIP
splunkgeek
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here