Solved: Re: Returning the value and position of items in a...

dcparker · ‎02-11-2014

Hello,
I have a field a:
1039275019, 138262333, 20232307, 175653, 63, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

I would like to return a table with the index and value of each item. For example:
1 1039275019
2 138262333
3 20232307
4 20232307
5 175653

and etc.

Can anyone help with this? If you wondering, the field is coming from cassandra via jmx, so I don't have tons of control over it.

thanks!

somesoni2 · ‎02-11-2014

Try this.

<your base search giving field say myfield> | eval myfield=split(myfield,",") | mvexpand myfield | eval sno=1 | accum sno

OR

<your base search giving field say myfield> | eval myfield=split(myfield,",") | mvexpand myfield | streamstats count as sno

View solution in original post

somesoni2 · ‎02-11-2014

Try this.

<your base search giving field say myfield> | eval myfield=split(myfield,",") | mvexpand myfield | eval sno=1 | accum sno

OR

<your base search giving field say myfield> | eval myfield=split(myfield,",") | mvexpand myfield | streamstats count as sno

dcparker · ‎02-11-2014

thanks, that works!

Returning the value and position of items in a multivalue field

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?

Returning the value and position of items in a multivalue field

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025