Solved: Dynamically order in mvappend

duesser · ‎11-30-2023

I have some data where I want to write the values of "test_n" (n in 1,2,...20) into a multivalue field and keep the numeric order. My attempt is to create the fields in a subsearch and pass to "mvapend()". This does not work.

| makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names])

Is there any alternative to spelling out:

| eval x=mvappend(test_1,...test_20)

by hand?

ITWhisperer · ‎11-30-2023

You are missing an underscore!

| makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test_".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names])

View solution in original post

ITWhisperer · ‎11-30-2023

You are missing an underscore!

| makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test_".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names])

duesser · ‎11-30-2023

Well... thanks 🙂

Dynamically order in mvappend

eval

fields

subsearch

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!