Re: how to make eval function to work for mutivalu...

dilstn · ‎03-21-2013

Here is the eval function which i use in particular field (which is a multivalued field) and then this value n display only for the first value of field....can u guide me to get the other value for the multivalued field .....

.......|eval n=if(isint(field1),"yes","no")| table sno,field1,n

sno field1 n
1 102 yes
132
234
P21
PSP

so for the remaining field1 value the eval function doesnt show the value.....

so i need like this...

Sno field1 n
1 102 yes
132 yes
234 yes
PGT no
PSP no

kristian_kolb · ‎03-22-2013

Perhaps the following may help;

mvexpand - make several events out of an event with a multivalued field (one for each value)

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Mvexpand

the mv* functions for eval, e.g. mvindex() and mvfilter() - see the examples

http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/CommonEvalFunctions

/Kristian

how to make eval function to work for mutivalued fields ..... to display

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

how to make eval function to work for mutivalued fields ..... to display

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...