Splunk Search

How to extract from multivalue field result

Explorer

Hi,

Below is the result from my transaction command. How do I extract only one date from the  multiple dates below?
I only need the first one which is 2020-07-05 22:02:01.
 
 
2020-07-05 22:02:01
2020-07-05 22:02:36
2020-07-05 22:02:58
2020-07-06 03:02:41
 

extract.PNG

 

I tried mvindex and split but it doesnt give me a result.

 

Thanks,

Labels (1)
Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@Noob_splunker,

It looks like your field name is the culprit.

Try renaming the field it to start with a letter.

| rename 4G_OutageStart as FG_OutageStart
| eval firstValue=mvindex(FG_OutageStart,0)

 

View solution in original post

SplunkTrust
SplunkTrust

@Noob_splunker,

It looks like your field name is the culprit.

Try renaming the field it to start with a letter.

| rename 4G_OutageStart as FG_OutageStart
| eval firstValue=mvindex(FG_OutageStart,0)

 

View solution in original post

Explorer

yup it worked after i renamed it! thanks much!

0 Karma

Motivator

Surrounding fields with single quotes ' will ensure eval command works with field names that start with numbers or have spaces in, as in my example

0 Karma

SplunkTrust
SplunkTrust

Yes sure

0 Karma

Motivator

Split and mvindex should work, try this

| makeresults
| eval 4G_OutageStart="2020-07-05 22:02:01,2020-07-05 22:02:36,2020-07-05 22:02:58,2020-07-06 03:02:41"
| eval 4G_OutageStart=split('4G_OutageStart',",")
| eval DataPoints=mvcount('4G_OutageStart')
| eval FirstDateTime=mvindex('4G_OutageStart',0,0)

If things are not working, it may be that your data looks like an MV field, but is not. You can check with the mvcount eval statement I included above.  

0 Karma