Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is transaction mvlist=t sorting a multivalue field in alphabetical order, not chronological?

simpkins1958
Contributor
‎08-09-2016 11:42 AM

Using this SPL:

index=main sourcetype=conn_activeifc d_name="JimSimpkins-Surface3" | transaction mvlist=t maxevents=2 d_id | eval one=mvindex(ifc,0) | eval two=mvindex(ifc,1) | table _time one two ifc | sort - _time

the mv field ifc is ALWAYS in alphabetical order. I need it _time order. What am I doing wrong??
Thanks!

From the documentation:

mvlist
Syntax: mvlist= true | false |
Description: Flag that controls whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered alphabetically. If a comma or/space delimited list of fields is provided, only those fields are rendered as lists.
Default: false

Reply

moisesroth
Path Finder
‎06-05-2017 11:41 AM

Hi, I needed do get the last "etapa" from some transactions indexed by "pedido", so I did a "streamstats count", prefix "etapa" with "count". This way I could bypass alphabetic ordination.
After it, I remove the prefix "1|", "2|", "3|" ... it using a temp variable named "etapa2" and regex.

This workaround solve it for me:

search... 
| streamstats count 
| eval count=substr("0000000".tostring(count), -5)
| eval etapa=count."|".etapa
| transaction pedido startswith="*status\=\"iniciado\"" mvlist=pedido
| rex field=etapa "^\d+\|(?<etapa2>.*)$" 
| eval etapa=etapa2
| eval l_etapa = mvindex(etapa,0)  
| ....

I hope this can help you.

Edited: I add this line to fix errors on alphabetic ordination. Ex: "10 < 2". Now we got "10 > 02"
| eval count=substr("0000000".tostring(count), -5)

0 Karma
Reply

akazarov
Path Finder
‎08-30-2016 03:16 AM

Same problem here, it seems there is no solution since 2009?
Actually, I need "a set of unique field values ordered in arrival order" - something not foreseen by transaction?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-09-2016 11:50 AM 
Syntax: mvlist= true | false | <field-list>

so change your search to this and see:

index=main sourcetype=conn_activeifc d_name="JimSimpkins-Surface3" | transaction maxevents=2 mvlist=t d_id | eval one=mvindex(ifc,0) | eval two=mvindex(ifc,1) | table _time one two ifc | sort - _time
0 Karma
Reply

simpkins1958
Contributor
‎08-09-2016 11:57 AM

This changed nothing... ifc value still in alphabetical order...

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...