Solved: Take the first value of each multivalue field

sbsbb · ‎05-21-2013

I have a big xml I wan't to make flat :

element1
...
subelement1
 subelement1.1
 subelement1.2
subelement2
 subelement2.1
 subelement2.2

If I make an spath, let say at subelement, I have all the subelements as multivalue.
With nomv, I'm able to convert mvfields into singlevalue, but the content contains all the values...
What I want, is having only the first value from the mvfields...

I have lot of them, so I don't wan't to make an spath, with a path for each...

kristian_kolb · ‎05-21-2013

... | eval my_number_1 = mvindex(my_multivalue_field, 0)

See more about the mv*() functions here;

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

/K

View solution in original post

kristian_kolb · ‎05-21-2013

... | eval my_number_1 = mvindex(my_multivalue_field, 0)

See more about the mv*() functions here;

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

/K

Take the first value of each multivalue field

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Take the first value of each multivalue field

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability