How do I assign value to list or array and use it ...

LearningGuy · ‎03-19-2024

How do I assign value to list or array and use it in where condition?
Thank you in advance!!

For example:
I tried to search if number 4 is in array/list of number between 0 to 6.

index = test
| eval   list-var = (0,1,2,3,4,5,6)
| eval num = 4
| search num IN list-var

PickleRick · ‎03-19-2024

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions#mvfind.2...

LearningGuy · ‎03-19-2024

Hello,
So, is multivalue the only way to use list/array?
If I want to assign 7 values, should I use mvappend 7 times like the following?

| eval test = mvappend("0", test)
| eval test = mvappend("1", test)
| eval test = mvappend("2", test)
| eval test = mvappend("3", test)
| eval test = mvappend("4", test)
| eval test = mvappend("5", test)
| eval test = mvappend("6", test)

How do I get true/false return if I want to see if number 5 is in the array/list?
MVfind only give me the position of 5, which is 1.

| eval n = mvfind(test, "5")

Thank you

PickleRick · ‎03-19-2024

You can "nest" mvappends to add multiple values at once. You can also use split() to make a multivalued field from a string of delimited values.

You can use isnull() to check if mvfind returned a value or not.

One caveat about mvfind though - it matches based on regex so you might get some unexpected results if you're not careful

How do I assign value to list or array and use it in where condition?

eval

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Are you a member of the Splunk Community?

How do I assign value to list or array and use it in where condition?

eval

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud