Solved: Re: How do I refer to the first, nth or last value...

cfrln · ‎01-29-2010

I am using the transaction command to sessionize web access log events and therefore have made referer, uri etc. into multivalue fields. How do I report on the first value of referer? The second page visited? The exit page?

Stephen_Sorkin · ‎01-29-2010

You can use the mvindex eval function that's described in: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions

As an example: ... | eval second_uri = mvindex(uri, 1) | ...

View solution in original post

Stephen_Sorkin · ‎01-29-2010

You can use the mvindex eval function that's described in: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions

As an example: ... | eval second_uri = mvindex(uri, 1) | ...

gkanapathy · ‎02-01-2010

hulahoop, the field value ordering is controlled by the "mvlist" parameter of the "transaction" command: http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction

hulahoop · ‎01-29-2010

Very cool! Are mv fields sorted by time in a transaction?

How do I refer to the first, nth or last value of a multivalue field?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?