Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dynamically order in mvappend

duesser
Path Finder
‎11-30-2023 03:43 AM

I have some data where I want to write the values of "test_n" (n in 1,2,...20) into a multivalue field and keep the  numeric order. My attempt is to create the fields in a subsearch and pass to "mvapend()". This does not work. 

 

| makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names])

 

 Is there any alternative to spelling out:

 

| eval x=mvappend(test_1,...test_20)

 

by hand?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-30-2023 04:18 AM

You are missing an underscore!

| makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test_".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names])

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-30-2023 04:18 AM

You are missing an underscore!

| makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test_".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names])
Reply
Solved! Jump to solution

duesser
Path Finder
‎11-30-2023 04:49 AM

Well... thanks 🙂

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...