- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: search values inside MV
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
i need a help in creating report
i have a mv field called "report", i want to search for values so they return me the result.
i tried with "IN function" , but it is returning me any values inside the function.
to be particular i need those values in mv field
for example, i have two fields manager and report, report having mv fields
manger------------------------ report
john ------------------ day1
------------------ day2
------------------ day3
------------------ day4
kevin -------------- day1
------------------ day4
index="my search" | where in(report,"day1","day4")
so here i'm expecting only results for kevin
i dont want to mv index it into multiple fields!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @hok2010 ,
You can use additionally mvcount function in where condition
Please try below run anywhere query-
| makeresults
| eval data="john|day1,day2,day3,day4;Kevin|day1,day2;"
| makemv data delim=";"
| mvexpand data
| makemv data delim="|"
| eval Manager=mvindex(data,0),report=mvindex(data,1)
| makemv report delim=","
| fields Manager,report
| where in(report,"day1","day2") and mvcount(report)=2
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @hok2010 ,
You can use additionally mvcount function in where condition
Please try below run anywhere query-
| makeresults
| eval data="john|day1,day2,day3,day4;Kevin|day1,day2;"
| makemv data delim=";"
| mvexpand data
| makemv data delim="|"
| eval Manager=mvindex(data,0),report=mvindex(data,1)
| makemv report delim=","
| fields Manager,report
| where in(report,"day1","day2") and mvcount(report)=2
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried | search report IN ("day1", "day4")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi arjun,
it didnt work well im getting the same results
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
