Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dynamically order in mvappend

duesser
Path Finder
‎11-30-2023 03:43 AM

I have some data where I want to write the values of "test_n" (n in 1,2,...20) into a multivalue field and keep the  numeric order. My attempt is to create the fields in a subsearch and pass to "mvapend()". This does not work. 

 

| makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names])

 

 Is there any alternative to spelling out:

 

| eval x=mvappend(test_1,...test_20)

 

by hand?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-30-2023 04:18 AM

You are missing an underscore!

| makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test_".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names])

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-30-2023 04:18 AM

You are missing an underscore!

| makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test_".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names])
Reply
Solved! Jump to solution

duesser
Path Finder
‎11-30-2023 04:49 AM

Well... thanks 🙂

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...