How do you use multi value tags in eval?

Marinus · ‎06-07-2011

I getting an eval error when I'm trying to use eval on a host tag.
"Error in 'eval' command: The expression is malformed. Expected )"

Most hosts have more than on tag.

* | eval nr_tags=eval(mvcount(tag::host))

bob_kerns · ‎09-06-2014

Very belated answer, but helpful for those who may end up here by search...

Instead of "tag::host", try single quote:
* | eval nr_tags=mvcount('tag::host')

Try this and compare the results. Set up more than one tag on at least one host so you can compare:

* | eval foo="tag::host"
   | tags outputfield=bar host
   | eval bar2='tag::host'
   | eval baz=mvcount("tag::host")
   | eval buz=mvcount('tag::host')

bob_kerns · ‎09-06-2014

Note, however, that this won't work in a computed field, since tagging happens after field extraction (including computed fields).

msenebald · ‎06-19-2013

Hi I have a similar problem.

the thing is even with

* | eval nr_tags=mvcount("tag::host")

you will always get 1 in nr_tags. it takes this as a string.

I would like to do something like this:

| eval iscool=if("tag::host" == "cool", "yes" , "no")

where host=fridge with tags: cool, fridge, ..

So actually i want to have a field in case a certain tag is applied to this event.
But i strugle to identify this in the tag::host field. mvcount and so always sees "tag::host" as a string, not as the field

Any Ideas?

How do you use multi value tags in eval?

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Are you a member of the Splunk Community?

How do you use multi value tags in eval?

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination