Splunk Search

smallest value in a multi value field splunk

nawazns5038
Builder

Hi,

Does anybody know how to pull the smallest or the largest value in a multi value field ?

| makeresults | eval h="1234,1" | makemv delim="," h 

I want the output as the lowest of the values in the multi value field . that is "1"

Thanks

0 Karma

woodcock
Esteemed Legend

Like this:

... | streamstats count AS _serial
| stats min(h) AS min_h max(h) AS max_h BY _serial

You may have to add makemv delim="," h to make h truly mutlivalued.

0 Karma

jacobpevans
Motivator

This works for me to treat the results as numbers:

| makeresults 
| eval test="10, 9, 70, 100" 
| makemv delim="," test

| rex field=test "(?<test_nums>\d+)"
| stats min(test_nums) as min
        max(test_nums) as max
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

vnravikumar
Champion

Hi

Try this, min and max in multi-value

| makeresults 
 | eval test="10,5,6,1" 
 | makemv delim="," test 
 | stats min(test) as min max(test) as max
0 Karma

nawazns5038
Builder

Does not work,

Try this

| makeresults 
  | eval test="10, 9, 70, 100 " 
  | makemv delim="," test 
  | stats min(test) as min max(test) as max
0 Karma

vnravikumar
Champion

Hi

Try this,

| makeresults 
| eval test="10, 9, 70, 100 " 
| makemv delim="," test 
| eval test= trim(test) 
| stats min(test) as min max(test) as max
0 Karma

niketn
Legend

[UPDATED ANSWER]
Since min() on multi-valued field is applying lexicographical order (treating the numbers as string).
One approach would be to pad zeros to the values using rex (I have added 10 zeros to example below, you can add/remove as per your needs). Then apply min(). Finally, using ltrim() remove padded zeros from left.

Please try out and confirm.

| makeresults 
| eval h="10,9,70,100" 
| makemv delim="," h 
| rex mode=sed field=h "s/(\d+)/0000000000\1/"
| eval smallest=trim(min(h),"0")

@nawazns5038 just pipe | eval smallest=min(h) to your existing search.

| makeresults 
| eval h="1234,1" 
| makemv delim="," h
| eval smallest=min(h)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nawazns5038
Builder

Hi @niketnilay , It does not work , please look into the following example and run the below query . I think it sorts lexicographically

| makeresults 
 | eval h="10, 9, 70, 100 " 
 | makemv delim="," h
 | eval smallest=max(h)

The query result would be 9 but not 100. The min(h) would show as 10 instead of 9.

0 Karma

chinmoya
Communicator

I think its the white space that's creating an issue.
Try below

| makeresults
| eval h="10, 9, 70, 100"
| rex mode=sed field=h "s/ //g"
| makemv delim="," h
| eval smallest=min(h)

0 Karma

niketn
Legend

@nawazns5038 what is your existing query which gives you multivalue field? Is it because of stats or directly from your data or multi-valued field extraction like rex.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nawazns5038
Builder

@niketnilay , the values are coming from a lookup , so for one field value in splunk there are multiple matches and the matches come in a multivalue value after we do the lookup command , I want the lowest or the highest of the multivalue field values.

0 Karma

niketn
Legend

@nawazns5038 have you tried the updated query?

<yourCurrentSearchReturningMultiValueField_h>
 | rex mode=sed field=h "s/(\d+)/0000000000\1/"
 | eval smallest=trim(min(h),"0")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...