Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding the length of multivalue/singlevalue field

smanojkumar
Contributor
‎11-04-2024 06:59 PM

Hello There,

    I would like to pass two diffrent values as a token, the search consists of code as a token, where code field can be single values or with multiple values, we need to calculate the length and if the length is equal to 1, then we need pass value_1., if the length is greater than 1, then we need to pass value_2 in a new token,

index=03_f123456 sourcetype=logs*  (CODE IN ($code$))
| eval x=len($code$)
| eval y=if(x=1,"value_1",value_2")
|dedup y |table y


Thanks in advance!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

zksvc
Contributor
‎11-05-2024 04:04 AM

Hi @smanojkumar  

Then you can solve it with that query ?
if it helpful maybe you can mark as solve and will be appreciate if give me karma.

because if you mark it as solve, it will help for another user who have same problem

View solution in original post

Reply
Solved! Jump to solution

smanojkumar
Contributor
‎11-04-2024 07:25 PM

Hello @zksvc ,

   Thanks for your prompt response and Thanks for your time!

    It works but my token value will be enclosed with  ("token_value"), 

Lets say token and results can be

Token                             Result             Reason
("*")                                  value_1         Since the length of "*" is 1, we need pass value1
( "abc")                           value_2         Since the length of "abc" is 3, we need pass value2
("ajd","abc","sd")         value_2         Since the length of "ajd" is 3, we need pass value2

The purpose of this is, My use case is to find wheather the token consists of "*" in it or not, Since its a inputdropdown of multivalue field, If i use mv commands it only works for multivalues but at some cases we will be getting single value from the input dropdown, So i need a condition to work in both the cases.


Thanks!

0 Karma
Reply
Solved! Jump to solution

zksvc
Contributor
‎11-04-2024 08:28 PM

Hi @smanojkumar 

According in your information what if we create new field, let say max_length. put that field in condition then run the query like this

index=03_f123456 sourcetype=logs* (CODE IN ($code$))
| eval code_list = split(trim("($code$)", "()"), ",")                    
| eval lengths = mvmap(code_list, len(trim('code_list', '"')))           
| eval max_length = if(mvfind(lengths, 1) >= 0, "value_1", "value_2")   
| table code_list max_length

 

Let me know if it works

 

Danke!

 

 

 

0 Karma
Reply
Solved! Jump to solution

smanojkumar
Contributor
‎11-04-2024 10:23 PM

Hello @zksvc ,

    Thanks again!

    I'm facing error in this line "unbalanced quotes"

| eval lengths = mvmap(code_list, len(trim('code_list', '"')))

So ihave modified this as 
| eval lengths = mvmap(code_list, len(trim('code_list', "\"")))


though eval is not accepting "*" as a token value in code.

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

zksvc
Contributor
‎11-05-2024 04:04 AM

Hi @smanojkumar  

Then you can solve it with that query ?
if it helpful maybe you can mark as solve and will be appreciate if give me karma.

because if you mark it as solve, it will help for another user who have same problem

Reply
Solved! Jump to solution

zksvc
Contributor
‎11-04-2024 07:13 PM

Hi @smanojkumar 

Maybe you can try this 

index=03_f123456 sourcetype=logs* (CODE IN ($code$))
| eval code_list=split("$code$", ",") 
| eval x=mvcount(code_list) 
| eval y=if(x==1, "value_1", "value_2") 
| dedup y | table y

 

Let me know if it works

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...