Splunk Search

Is the mvindex function just visual?

russell120
Communicator

With my situation, all events have double the values in each field for some reason. I'm not an admin so I just have to work with it until they fix it. Data might look like this:

color  name
blue    bill 
blue    bill

green  gus
green  gus

The above are pretty much 4 multivalue cells.

So I run the below to return just the first string before the line break for each cell:

| eval severity=mvindex(name,0)
| stats count(eval(name="bill")) as badGuy

And the count result will still be 2 instead of one. Same with "gus". Why is that?

note: mvexpand + dedup is not an option for this situation.

Tags (3)
0 Karma

FrankVl
Ultra Champion

As a side note:
The reason for multiple values is often that both index time and search time extractions have been configured.

For example json index time extractions and then not disabling auto-kv, which causes json search time extractions to be performed as well.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The mvindex function does not change the multivalue field - it just extracts a copy of the requested value. For your query to work, you'd have to count the extract field, 'severity'.

| eval severity=mvindex(name,0)
| stats count(eval(severity="bill")) as badGuy
---
If this reply helps you, Karma would be appreciated.
0 Karma

russell120
Communicator

@richgalloway Sorry, I did actually count the severity field and the result is the same. Any workarounds?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...