topic Re: Check if Field is a Multivalue Field in Splunk Enterprise Security

Check if Field is a Multivalue Field

thomasvanhelden — Tue, 26 Nov 2019 07:44:15 GMT

Is it possible to check if a certain field is a multi-value field?

I'm rewriting some old searches. They contain a few mvexpand commands, but I'm not sure whether this is necessary or not.
I don't know how to verify if the mvexpand is required and it seems risky to just leave it out and see if the search still works.

Re: Check if Field is a Multivalue Field

thomasvanhelden — Tue, 26 Nov 2019 09:25:28 GMT

I just read about the mvcount function. I guess that can be used to count the number of values in the field and check if there are any counts higher than one.

Re: Check if Field is a Multivalue Field

to4kawa — Tue, 26 Nov 2019 13:56:52 GMT

| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1d@d"), relative_time(_time,"@d")) 
| makecontinuous span=15m 
| fillnull 
| where count!=1 
| eval count = random() % 50  
| eval count2 = count % 2 + 1
| eval count3 = count % 3 + 1
| bin span=1h aligntime=-1h@h _time 
| stats list(count) as count values(count2) as count2 values(count3) as count3 by _time 
`comment("this is sample data")`
| eval check="" 
| foreach "*" 
    [ eval check=if(mvcount(<<FIELD>>) > 1 ,mvappend(check,"<<FIELD>>") ,check) ]

Hi, @thomasvanhelden
How about it?

Re: Check if Field is a Multivalue Field

techiesid — Tue, 26 Nov 2019 14:01:59 GMT

Hi @thomasvanhelden ,

Just a thought, why dont you keep the mvexpand command as is. If it is single value field mvexpand will do nothing. and if that field is a mv field then only mvexpand will work.

Sid

Re: Check if Field is a Multivalue Field

wmyersas — Tue, 26 Nov 2019 15:23:39 GMT

It would probably be better to figure-out what the search is trying to do in the first place

There may be better ways of finding what the searches are trying to do - given that these ones you're looking at are "old"

Or there might not 🙂

That said, mvexpand doesn't really hurt you if the field is not multivalue (there's a tiny performance hit, but it's pretty small)

In my experience, I "know" a field [may] be multivalue in one of two instances:

it comes out of JSON
there was a | stats list() or | stats values() that built the field in question

If neither of those is true, it's probably not multivalue

Re: Check if Field is a Multivalue Field

lkutch_splunk — Tue, 26 Nov 2019 17:35:52 GMT

Sounds like if your search has multivalue fields & you want them separated out, then you use it...
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Mvexpand
"Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. For each result, the mvexpand command creates a new result for every multivalue field."
If you don't want them separated, then you don't.

Re: Check if Field is a Multivalue Field

woodcock — Tue, 26 Nov 2019 17:39:52 GMT

You can use mvcount for this.

Re: Check if Field is a Multivalue Field

wmyersas — Tue, 26 Nov 2019 19:03:08 GMT

OP's already using mvexpand - he's trying to figure out if he needs to or not 🙂

Re: Check if Field is a Multivalue Field

thomasvanhelden — Wed, 27 Nov 2019 10:58:26 GMT

This is a solution to my problem! I built something similar myself. Thank you!