- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Multivalue field if more than one value output yes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunk Community,
I have a multivalue field that outputs "No" after applying if eval statement. I would like to have it output yes if there is more than 1 value for that field.
I believe its my eval command that needs to be fixed: | eval Result=if(Doc=DocId, "Yes", "No")
(index="XYZ" ) OR (index="123" )
| eval Doc=if(level="RecordCount", DocId,"no_level")
|fillnull DocType value=NA
|eval Result=if(Doc=DocId,"Yes","No")
| stats values(Doc) values(level) values(RecordCount) values(Result) by DocType| docType | values(DocId) | values(level) | values(RecordCount) | values(Result) |
| 12345, no_level | submitted | 1 | No (this should say yes) |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright!
Just use max(Result) as Result instead of values(result)
Lexicographically, Y is greater than N and hence Yes will be chosen by max.
👍if it helps
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per your last search result level = submitted (see values(level))
So in your first eval statement, i.e
| eval Doc=if(level="RecordCount", DocId,"no_level")
Doc = no_level since level is not RecordCount but submitted
So in the second eval statement,
|eval Result=if(Doc=DocId,"Yes","No")
no_level = Doc is No
Not sure, if I miss something in between but Splunk seems to be right here .
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith_nair Thanks for helping me out. I did try your suggestion |eval Result=if(Doc=DocId,"Yes","No"). However the issue that I have is the last values(Result) column displays yes and no and not just yes. So my results look like this. I only need it to say yes where values(Doc) has a series of numbers known as the DocId field, but in this case I have value(Doc) with no_level and DocId, which in turn gives me a yes and a no result. I just need it to say yes where DocId is present regardless of there being the no_level value.
| DocType | values(Doc) | values(level) | values(RecordCount) | values(Result) |
| no_level | submitted | 0 | No | |
| csv | 12345 no_level | submitted 12345 | 0,1 | No, Yes |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright!
Just use max(Result) as Result instead of values(result)
Lexicographically, Y is greater than N and hence Yes will be chosen by max.
👍if it helps
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith_nair Thank you! you don't know how helpful this was for me 😊
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are welcome! Glad it worked. Appreciate a 👍 for the solution by clicking on the karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
