Splunk Search

Trying to find the index of a value within a multivalued field, why is is mvfind on the multivalue field not working?

t_tharr
Engager

Hi,

I am trying to find the index of a value within a multivalued field. I assume mvfind is the correct eval function for this purpose. However it does not match anything. I am trying to fetch the index of "Links and UI" in a multivalued field called "Sub Calls" like this -

mysearch | chart list(AA) as "Sub Calls", list(BB) as "Sub Calls Duration" by MO_id | eval LUI_index = mvfind("Sub Calls", "^Links and UI$") | table MO_id, "Sub Calls", "Sub Calls Duration", LUI_index

This always returns null. Can someone please tell me where I could be going wrong in the regex?

Tags (3)
0 Karma

woodcock
Esteemed Legend

The problem is here:

mvfind("Sub Calls", "^Links and UI$")

Splunk is using the first argument as a literal string, not as a field name. This is why I always try to avoid whitespace in field names and when I cannot, I never use double-quotes, but instead use dollar-signs, like this (which will work for you):

mvfind($Sub Calls$, "^Links and UI$")

Again, the best solution would be to convert the spaces to underscores like this:

mysearch | chart list(AA) as Sub_Calls list(BB) as Sub_Calls_Duration by MO_id | eval LUI_index = mvfind(Sub_Calls, "^Links and UI$") | table MO_id Sub_Calls Sub_Calls_Duration LUI_index
0 Karma

jacobwilkins
Communicator

You really can't count on keeping parallel indexes on to separate multi-value fields.

Why not do:

mysearch | stats values(BB) by AA, MO_id

See also:

mysearch | chart values(BB) over AA by MO_id

You might have to switch you over/by fields in that one. I can never remember which is which.

Get Updates on the Splunk Community!

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...