Splunk Search

How to extract from multivalue field result

Noob_splunker
Explorer

Hi,

Below is the result from my transaction command. How do I extract only one date from the  multiple dates below?
I only need the first one which is 2020-07-05 22:02:01.
 
 
2020-07-05 22:02:01
2020-07-05 22:02:36
2020-07-05 22:02:58
2020-07-06 03:02:41
 

extract.PNG

 

I tried mvindex and split but it doesnt give me a result.

 

Thanks,

Labels (1)
Tags (1)
0 Karma
1 Solution

renjith_nair
Legend

@Noob_splunker,

It looks like your field name is the culprit.

Try renaming the field it to start with a letter.

| rename 4G_OutageStart as FG_OutageStart
| eval firstValue=mvindex(FG_OutageStart,0)

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

@Noob_splunker,

It looks like your field name is the culprit.

Try renaming the field it to start with a letter.

| rename 4G_OutageStart as FG_OutageStart
| eval firstValue=mvindex(FG_OutageStart,0)

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

Noob_splunker
Explorer

yup it worked after i renamed it! thanks much!

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Surrounding fields with single quotes ' will ensure eval command works with field names that start with numbers or have spaces in, as in my example

0 Karma

renjith_nair
Legend

Yes sure

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Split and mvindex should work, try this

| makeresults
| eval 4G_OutageStart="2020-07-05 22:02:01,2020-07-05 22:02:36,2020-07-05 22:02:58,2020-07-06 03:02:41"
| eval 4G_OutageStart=split('4G_OutageStart',",")
| eval DataPoints=mvcount('4G_OutageStart')
| eval FirstDateTime=mvindex('4G_OutageStart',0,0)

If things are not working, it may be that your data looks like an MV field, but is not. You can check with the mvcount eval statement I included above.  

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...