Hi @woodcock is there a way to extract the value 1 or 2 or N of a multivalued field ?

Thanks

... | eval 2nd = mvindex(mvfield, 1, 1)

Hi @woodcock thank you

the full SPL working for me is:

...  | evenstats values(host) AS _host_list  | eval 2nd = mvindex(_name_list, 1, 1) | nomv 2nd

Did the suggested solution work for anybody?

For me its always giving null value, but if i am trying to print , the variable shows all the values in non multifield fashion.

Following is the query

index=app_index earliest=-5m | dedup source | eventstats values(host) as hostlists | nomv hostlists | table source, host

And in the subject used like this-

Alert occurred for follwoing hosts
$result.hostlists$

If i remove, "| nomv hostlists" , then it gives at least one host.

Also tried with evaluating as separate field, but again no luck.

index=app_index earliest=-5m | dedup source | eventstats values(host) as hostlists | nomv hostlists | eval hostlist=hostlists | nomv hostlist | table source, host

And used as  $result.hostlist$

Thanks

Hello @woodcock  any suggestion pls?

How is this hard?

Your search is this:

index=app_index earliest=-5m 
| dedup source 
| table source, host

I said this:
In your search, add this SPL:

| evenstats values(host) AS _host_list 
| nomv _host_list

Then use $result._host_list$ in your subject.

Which means you end up with this:

index=app_index earliest=-5m
| dedup source
| table source, host
| evenstats values(host) AS _host_list
| nomv _host_list

 Then use $result._host_list$ in your subject.