How do I assign value to list or array and use it ...

LearningGuy · ‎03-19-2024

How do I assign value to list or array and use it in where condition?
Thank you in advance!!

For example:
I tried to search if number 4 is in array/list of number between 0 to 6.

index = test
| eval   list-var = (0,1,2,3,4,5,6)
| eval num = 4
| search num IN list-var

PickleRick · ‎03-19-2024

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions#mvfind.2...

LearningGuy · ‎03-19-2024

Hello,
So, is multivalue the only way to use list/array?
If I want to assign 7 values, should I use mvappend 7 times like the following?

| eval test = mvappend("0", test)
| eval test = mvappend("1", test)
| eval test = mvappend("2", test)
| eval test = mvappend("3", test)
| eval test = mvappend("4", test)
| eval test = mvappend("5", test)
| eval test = mvappend("6", test)

How do I get true/false return if I want to see if number 5 is in the array/list?
MVfind only give me the position of 5, which is 1.

| eval n = mvfind(test, "5")

Thank you

PickleRick · ‎03-19-2024

You can "nest" mvappends to add multiple values at once. You can also use split() to make a multivalued field from a string of delimited values.

You can use isnull() to check if mvfind returned a value or not.

One caveat about mvfind though - it matches based on regex so you might get some unexpected results if you're not careful

How do I assign value to list or array and use it in where condition?

eval

SplunkTrust Application Period is Officially OPEN!

Splunk Answers Content Calendar, June Edition II

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Are you a member of the Splunk Community?

How do I assign value to list or array and use it in where condition?

eval

SplunkTrust Application Period is Officially OPEN!

Splunk Answers Content Calendar, June Edition II

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...