Solved: Check if Field is a Multivalue Field

thomasvanhelden · ‎11-25-2019

Is it possible to check if a certain field is a multi-value field?

I'm rewriting some old searches. They contain a few mvexpand commands, but I'm not sure whether this is necessary or not.
I don't know how to verify if the mvexpand is required and it seems risky to just leave it out and see if the search still works.

wmyersas · ‎11-26-2019

It would probably be better to figure-out what the search is trying to do in the first place

There may be better ways of finding what the searches are trying to do - given that these ones you're looking at are "old"

Or there might not 🙂

That said, mvexpand doesn't really hurt you if the field is not multivalue (there's a tiny performance hit, but it's pretty small)

In my experience, I "know" a field [may] be multivalue in one of two instances:

it comes out of JSON
there was a | stats list() or | stats values() that built the field in question

If neither of those is true, it's probably not multivalue

View solution in original post

woodcock · ‎11-26-2019

You can use mvcount for this.

lkutch_splunk · ‎11-26-2019

Sounds like if your search has multivalue fields & you want them separated out, then you use it...
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Mvexpand
"Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. For each result, the mvexpand command creates a new result for every multivalue field."
If you don't want them separated, then you don't.

wmyersas · ‎11-26-2019

OP's already using mvexpand - he's trying to figure out if he needs to or not 🙂

wmyersas · ‎11-26-2019

It would probably be better to figure-out what the search is trying to do in the first place

There may be better ways of finding what the searches are trying to do - given that these ones you're looking at are "old"

Or there might not 🙂

That said, mvexpand doesn't really hurt you if the field is not multivalue (there's a tiny performance hit, but it's pretty small)

In my experience, I "know" a field [may] be multivalue in one of two instances:

it comes out of JSON
there was a | stats list() or | stats values() that built the field in question

If neither of those is true, it's probably not multivalue

to4kawa · ‎11-26-2019

| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1d@d"), relative_time(_time,"@d")) 
| makecontinuous span=15m 
| fillnull 
| where count!=1 
| eval count = random() % 50  
| eval count2 = count % 2 + 1
| eval count3 = count % 3 + 1
| bin span=1h aligntime=-1h@h _time 
| stats list(count) as count values(count2) as count2 values(count3) as count3 by _time 
`comment("this is sample data")`
| eval check="" 
| foreach "*" 
    [ eval check=if(mvcount(<<FIELD>>) > 1 ,mvappend(check,"<<FIELD>>") ,check) ]

Hi, @thomasvanhelden
How about it?

thomasvanhelden · ‎11-27-2019

This is a solution to my problem! I built something similar myself. Thank you!

thomasvanhelden · ‎11-26-2019

I just read about the mvcount function. I guess that can be used to count the number of values in the field and check if there are any counts higher than one.

techiesid · ‎11-26-2019

Hi @thomasvanhelden ,

Just a thought, why dont you keep the mvexpand command as is. If it is single value field mvexpand will do nothing. and if that field is a mv field then only mvexpand will work.

Sid

Check if Field is a Multivalue Field

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)