Is the mvindex function just visual?

russell120 · ‎02-19-2019

With my situation, all events have double the values in each field for some reason. I'm not an admin so I just have to work with it until they fix it. Data might look like this:

color  name
blue    bill 
blue    bill

green  gus
green  gus

The above are pretty much 4 multivalue cells.

So I run the below to return just the first string before the line break for each cell:

| eval severity=mvindex(name,0)
| stats count(eval(name="bill")) as badGuy

And the count result will still be 2 instead of one. Same with "gus". Why is that?

note: mvexpand + dedup is not an option for this situation.

FrankVl · ‎02-20-2019

As a side note:
The reason for multiple values is often that both index time and search time extractions have been configured.

For example json index time extractions and then not disabling auto-kv, which causes json search time extractions to be performed as well.

richgalloway · ‎02-20-2019

The mvindex function does not change the multivalue field - it just extracts a copy of the requested value. For your query to work, you'd have to count the extract field, 'severity'.

| eval severity=mvindex(name,0)
| stats count(eval(severity="bill")) as badGuy

---
If this reply helps you, Karma would be appreciated.

russell120 · ‎02-20-2019

@richgalloway Sorry, I did actually count the severity field and the result is the same. Any workarounds?

Is the mvindex function just visual?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!