Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multivalue field if more than one value output yes

Mary666
Communicator
‎12-22-2020 04:31 PM

Hello Splunk Community, 

 

I have a multivalue field that outputs "No" after applying if eval statement. I would like to have it output yes if there is more than 1 value for that field.  

I believe its my eval command that needs to be fixed: | eval Result=if(Doc=DocId, "Yes", "No")

(index="XYZ" ) OR (index="123" )
| eval Doc=if(level="RecordCount", DocId,"no_level") 
|fillnull DocType value=NA

|eval Result=if(Doc=DocId,"Yes","No")

| stats values(Doc) values(level) values(RecordCount) values(Result) by DocType
docTypevalues(DocId)values(level)values(RecordCount)values(Result)
PDF12345, no_levelsubmitted1No (this should say yes)
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎12-22-2020 06:14 PM

Alright!

Just use max(Result) as Result instead of values(result)

Lexicographically,  Y is greater than N and hence Yes will be chosen by max.

👍if it helps

Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution

renjith_nair
SplunkTrust
SplunkTrust
‎12-22-2020 05:29 PM

As per your last search result  level = submitted (see values(level))

So in your first eval statement, i.e

| eval Doc=if(level="RecordCount", DocId,"no_level")

 Doc = no_level since level is not RecordCount but submitted

So in the second eval statement, 

|eval Result=if(Doc=DocId,"Yes","No")

no_level  =  Doc is No

Not sure, if I miss something in between but Splunk seems to be right here .

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

Mary666
Communicator
‎12-22-2020 05:55 PM

@renjith_nair  Thanks for helping me out. I did try your suggestion |eval Result=if(Doc=DocId,"Yes","No"). However the issue that I have is the last values(Result) column displays yes and no and not just yes.  So my results look like this. I only need it to say yes where values(Doc) has a series of numbers known as the DocId field, but in this case I have value(Doc) with no_level and DocId, which in turn gives me a yes and a no result. I just need it to say yes where DocId is present regardless of there being the no_level value.  

DocTypevalues(Doc)values(level)values(RecordCount)values(Result)
pdfno_level submitted0No
csv12345
no_level		submitted
12345		0,1No, Yes 
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎12-22-2020 06:14 PM

Alright!

Just use max(Result) as Result instead of values(result)

Lexicographically,  Y is greater than N and hence Yes will be chosen by max.

👍if it helps

Happy Splunking!
Reply
Solved! Jump to solution

Mary666
Communicator
‎12-22-2020 08:19 PM

@renjith_nair  Thank you! you don't know how helpful this was for me 😊

Reply
Solved! Jump to solution

renjith_nair
SplunkTrust
SplunkTrust
‎12-27-2020 07:47 PM

@Mary666 

You are welcome! Glad it worked. Appreciate a 👍 for the solution by clicking on the karma 🙂

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...