Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding the length of multivalue/singlevalue field

smanojkumar
Contributor
‎11-04-2024 06:59 PM

Hello There,

    I would like to pass two diffrent values as a token, the search consists of code as a token, where code field can be single values or with multiple values, we need to calculate the length and if the length is equal to 1, then we need pass value_1., if the length is greater than 1, then we need to pass value_2 in a new token,

index=03_f123456 sourcetype=logs*  (CODE IN ($code$))
| eval x=len($code$)
| eval y=if(x=1,"value_1",value_2")
|dedup y |table y


Thanks in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

zksvc
Contributor
‎11-05-2024 04:04 AM

Hi @smanojkumar  

Then you can solve it with that query ?
if it helpful maybe you can mark as solve and will be appreciate if give me karma.

because if you mark it as solve, it will help for another user who have same problem

View solution in original post

Reply
Solved! Jump to solution

smanojkumar
Contributor
‎11-04-2024 07:25 PM

Hello @zksvc ,

   Thanks for your prompt response and Thanks for your time!

    It works but my token value will be enclosed with  ("token_value"), 

Lets say token and results can be

Token                             Result             Reason
("*")                                  value_1         Since the length of "*" is 1, we need pass value1
( "abc")                           value_2         Since the length of "abc" is 3, we need pass value2
("ajd","abc","sd")         value_2         Since the length of "ajd" is 3, we need pass value2

The purpose of this is, My use case is to find wheather the token consists of "*" in it or not, Since its a inputdropdown of multivalue field, If i use mv commands it only works for multivalues but at some cases we will be getting single value from the input dropdown, So i need a condition to work in both the cases.


Thanks!

0 Karma
Reply
Solved! Jump to solution

zksvc
Contributor
‎11-04-2024 08:28 PM

Hi @smanojkumar 

According in your information what if we create new field, let say max_length. put that field in condition then run the query like this

index=03_f123456 sourcetype=logs* (CODE IN ($code$))
| eval code_list = split(trim("($code$)", "()"), ",")                    
| eval lengths = mvmap(code_list, len(trim('code_list', '"')))           
| eval max_length = if(mvfind(lengths, 1) >= 0, "value_1", "value_2")   
| table code_list max_length

 

Let me know if it works

 

Danke!

 

 

 

0 Karma
Reply
Solved! Jump to solution

smanojkumar
Contributor
‎11-04-2024 10:23 PM

Hello @zksvc ,

    Thanks again!

    I'm facing error in this line "unbalanced quotes"

| eval lengths = mvmap(code_list, len(trim('code_list', '"')))

So ihave modified this as 
| eval lengths = mvmap(code_list, len(trim('code_list', "\"")))


though eval is not accepting "*" as a token value in code.

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

zksvc
Contributor
‎11-05-2024 04:04 AM

Hi @smanojkumar  

Then you can solve it with that query ?
if it helpful maybe you can mark as solve and will be appreciate if give me karma.

because if you mark it as solve, it will help for another user who have same problem

Reply
Solved! Jump to solution

zksvc
Contributor
‎11-04-2024 07:13 PM

Hi @smanojkumar 

Maybe you can try this 

index=03_f123456 sourcetype=logs* (CODE IN ($code$))
| eval code_list=split("$code$", ",") 
| eval x=mvcount(code_list) 
| eval y=if(x==1, "value_1", "value_2") 
| dedup y | table y

 

Let me know if it works

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...