Hi,
Does anybody know how to pull the smallest or the largest value in a multi value field ?
| makeresults | eval h="1234,1" | makemv delim="," h
I want the output as the lowest of the values in the multi value field . that is "1"
Thanks
Like this:
... | streamstats count AS _serial
| stats min(h) AS min_h max(h) AS max_h BY _serial
You may have to add makemv delim="," h
to make h
truly mutlivalued.
This works for me to treat the results as numbers:
| makeresults
| eval test="10, 9, 70, 100"
| makemv delim="," test
| rex field=test "(?<test_nums>\d+)"
| stats min(test_nums) as min
max(test_nums) as max
Hi
Try this, min and max in multi-value
| makeresults
| eval test="10,5,6,1"
| makemv delim="," test
| stats min(test) as min max(test) as max
Does not work,
Try this
| makeresults
| eval test="10, 9, 70, 100 "
| makemv delim="," test
| stats min(test) as min max(test) as max
Hi
Try this,
| makeresults
| eval test="10, 9, 70, 100 "
| makemv delim="," test
| eval test= trim(test)
| stats min(test) as min max(test) as max
[UPDATED ANSWER]
Since min() on multi-valued field is applying lexicographical order (treating the numbers as string).
One approach would be to pad zeros to the values using rex (I have added 10 zeros to example below, you can add/remove as per your needs). Then apply min()
. Finally, using ltrim() remove padded zeros from left.
Please try out and confirm.
| makeresults
| eval h="10,9,70,100"
| makemv delim="," h
| rex mode=sed field=h "s/(\d+)/0000000000\1/"
| eval smallest=trim(min(h),"0")
@nawazns5038 just pipe | eval smallest=min(h)
to your existing search.
| makeresults
| eval h="1234,1"
| makemv delim="," h
| eval smallest=min(h)
Hi @niketnilay , It does not work , please look into the following example and run the below query . I think it sorts lexicographically
| makeresults
| eval h="10, 9, 70, 100 "
| makemv delim="," h
| eval smallest=max(h)
The query result would be 9 but not 100. The min(h)
would show as 10 instead of 9.
I think its the white space that's creating an issue.
Try below
| makeresults
| eval h="10, 9, 70, 100"
| rex mode=sed field=h "s/ //g"
| makemv delim="," h
| eval smallest=min(h)
@nawazns5038 what is your existing query which gives you multivalue field? Is it because of stats or directly from your data or multi-valued field extraction like rex.
@niketnilay , the values are coming from a lookup , so for one field value in splunk there are multiple matches and the matches come in a multivalue value after we do the lookup command , I want the lowest or the highest of the multivalue field values.
@nawazns5038 have you tried the updated query?
<yourCurrentSearchReturningMultiValueField_h>
| rex mode=sed field=h "s/(\d+)/0000000000\1/"
| eval smallest=trim(min(h),"0")