Hi,
I have the following search on splunk indexer.
Although field "a" and "b" return results, field "steps" does not return stable results.(only one or zero result is returned).
thanks
sourcetype="F5:iRule:WebAccess"|sort -req_elapsed_time|head 3|stats count by url client_address req_elapsed_time server_name|stats sum(count) as count list(url) as a list(server_name) as b by server_name | eval steps=b."-".a| fields steps count
You can use mvexpand before your field concatenation.
mvexpand
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Mvexpand
sourcetype="F5:iRule:WebAccess"| head 100000 | sort -req_elapsed_time|head 3|stats count by url client_address req_elapsed_time server_name|stats sum(count) as count list(url) as a list(server_name) as b by server_name | mvexpand a | mvexpand b | eval steps=b."-".a | fields steps count
You can use mvexpand before your field concatenation.
mvexpand
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Mvexpand
sourcetype="F5:iRule:WebAccess"| head 100000 | sort -req_elapsed_time|head 3|stats count by url client_address req_elapsed_time server_name|stats sum(count) as count list(url) as a list(server_name) as b by server_name | mvexpand a | mvexpand b | eval steps=b."-".a | fields steps count
Thanks for your recommendation.
It solved my issue.
eval
won't like doing string concatenations on multivalued fields. It does that on single-valued fields only.