Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is transaction mvlist=t sorting a multivalue field in alphabetical order, not chronological?

simpkins1958
Contributor
‎08-09-2016 11:42 AM

Using this SPL:

index=main sourcetype=conn_activeifc d_name="JimSimpkins-Surface3" | transaction mvlist=t maxevents=2 d_id | eval one=mvindex(ifc,0) | eval two=mvindex(ifc,1) | table _time one two ifc | sort - _time

the mv field ifc is ALWAYS in alphabetical order. I need it _time order. What am I doing wrong??
Thanks!

From the documentation:

mvlist
Syntax: mvlist= true | false |
Description: Flag that controls whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered alphabetically. If a comma or/space delimited list of fields is provided, only those fields are rendered as lists.
Default: false

Reply

moisesroth
Path Finder
‎06-05-2017 11:41 AM

Hi, I needed do get the last "etapa" from some transactions indexed by "pedido", so I did a "streamstats count", prefix "etapa" with "count". This way I could bypass alphabetic ordination.
After it, I remove the prefix "1|", "2|", "3|" ... it using a temp variable named "etapa2" and regex.

This workaround solve it for me:

search... 
| streamstats count 
| eval count=substr("0000000".tostring(count), -5)
| eval etapa=count."|".etapa
| transaction pedido startswith="*status\=\"iniciado\"" mvlist=pedido
| rex field=etapa "^\d+\|(?<etapa2>.*)$" 
| eval etapa=etapa2
| eval l_etapa = mvindex(etapa,0)  
| ....

I hope this can help you.

Edited: I add this line to fix errors on alphabetic ordination. Ex: "10 < 2". Now we got "10 > 02"
| eval count=substr("0000000".tostring(count), -5)

0 Karma
Reply

akazarov
Path Finder
‎08-30-2016 03:16 AM

Same problem here, it seems there is no solution since 2009?
Actually, I need "a set of unique field values ordered in arrival order" - something not foreseen by transaction?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-09-2016 11:50 AM 
Syntax: mvlist= true | false | <field-list>

so change your search to this and see:

index=main sourcetype=conn_activeifc d_name="JimSimpkins-Surface3" | transaction maxevents=2 mvlist=t d_id | eval one=mvindex(ifc,0) | eval two=mvindex(ifc,1) | table _time one two ifc | sort - _time
0 Karma
Reply

simpkins1958
Contributor
‎08-09-2016 11:57 AM

This changed nothing... ifc value still in alphabetical order...

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...