topic Re: Splunk filter search to show only multi-value fields in Getting Data In

Splunk filter search to show only multi-value fields

brinley — Thu, 25 Jul 2019 16:28:47 GMT

I'm working on a splunk search head that was set up my someone else at work and I'm not very familiar with the dataset we're using splunk to analyze. I can see from the search results that some fields have multiple values, but I'm not sure how many fields are multi-value. I'd like to construct a query to only show the multi-value fields in the results, or better yet, to get a list of all of the multi-value fields in my dataset.

I'm familiar with the fields some_field command that filters the results by a particular field. I think I could use something similar to filter the results to show only multi-value fields. I would need something like:

index="puppies" | fields=[only multi-value fields]

Is this possible in splunk?
Note: I have an inkling that there might be a button or something in the splunk results gui that could show me only multi-value fields. If that exists, please let me know. Thanks in advance!

Re: Splunk filter search to show only multi-value fields

jpolvino — Thu, 25 Jul 2019 17:50:16 GMT

Here is one way to get an overview of all the fields:

| makeresults 
| eval multival_1=mvappend("one","two","three") 
| eval multival_2=mvappend("red","green") 
| eval singleval_1="winter,spring,summer" 
| eval singleval_2="fall"
| fieldsummary
| eval fieldType=if(like(values,"%},{%"),"Multi","Single")

Then if you want to see only the multivalue, you can add this line to the bottom:

| where fieldType="Multi"

And then the field named "field" will contain all your mv fields.

Re: Splunk filter search to show only multi-value fields

brinley — Thu, 25 Jul 2019 21:17:56 GMT

@jpolvino Thanks for the help. This query is returning results that say all my fields are multi-valued, which is not correct. Unless I'm wrong about the meaning of a multi-valued field: is a field with a value equal to a single string of unique words delimited by newlines considered a multi-valued field? Because it sure behaves like a single valued field (especially given that splunk returns multi-valued field values as objects, and I'm consistently getting strings from splunk).

Sorry if I'm not making much sense. If you can't answer my question above, can you tell me what "%},{%" means? I'm guessing a pattern that matches on two unique values separated by a comma? How does that pattern determine if a field is multi-valued?

Re: Splunk filter search to show only multi-value fields

jpolvino — Fri, 26 Jul 2019 12:05:45 GMT

Pass the field in question as a parameter to the mvcount function. If it returns 1, it is not multivalue. If it returns >1 then it is multivalue.

The pattern you call out above detects a multivalue field. If you look at the output of the top code snippet I provided, you'll see a "value" field at the right, looking like this:

values
[{"value":"one","count":1},{"value":"three","count":1},{"value":"two","count":1}]
[{"value":"green","count":1},{"value":"red","count":1}]
[{"value":"winter,spring,summer","count":1}]
[{"value":"fall","count":1}]

The top 2 rows belong to the multivalue fields, and have the },{ pattern.

If this doesn't work for your case, then please post sample fields: ones you want to collect, and ones you want to reject, and I'm sure the community will help get you what you need.

Re: Splunk filter search to show only multi-value fields

woodcock — Fri, 26 Jul 2019 20:44:33 GMT

You need to realize that it maybe only a single event that has multivalue fields when all others do not. In any case, try this:

 index="puppies" | foreach * [ eval mvcount_<<FIELD>> = mvcount(<<FIELD>>) | eval mvcount_AnyTh1n6 = if(mvcount_<<FIELD>> > 0, "YES", mvcount_AnyTh1n6) ]
| where mvcount_AnyTh1n6 == "YES"
| evenstats max(mvcount_*) AS dropme_*
| foreach dropme_* [ eval <<FIELD>> = if(<<FIELD>> == 0, "YES", null()) ]
| foreach dropme_* [ fields - <<MATCHSTR>> <<FIELD>> ]

Also, the fieldsummary command may be helpful:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldsummary