Splunk Search

smallest value in a multi value field splunk

Builder

Hi,

Does anybody know how to pull the smallest or the largest value in a multi value field ?

| makeresults | eval h="1234,1" | makemv delim="," h 

I want the output as the lowest of the values in the multi value field . that is "1"

Thanks

0 Karma

Esteemed Legend

Like this:

... | streamstats count AS _serial
| stats min(h) AS min_h max(h) AS max_h BY _serial

You may have to add makemv delim="," h to make h truly mutlivalued.

0 Karma

Motivator

This works for me to treat the results as numbers:

| makeresults 
| eval test="10, 9, 70, 100" 
| makemv delim="," test

| rex field=test "(?<test_nums>\d+)"
| stats min(test_nums) as min
        max(test_nums) as max
Cheers,
Jacob
0 Karma

Champion

Hi

Try this, min and max in multi-value

| makeresults 
 | eval test="10,5,6,1" 
 | makemv delim="," test 
 | stats min(test) as min max(test) as max
0 Karma

Builder

Does not work,

Try this

| makeresults 
  | eval test="10, 9, 70, 100 " 
  | makemv delim="," test 
  | stats min(test) as min max(test) as max
0 Karma

Champion

Hi

Try this,

| makeresults 
| eval test="10, 9, 70, 100 " 
| makemv delim="," test 
| eval test= trim(test) 
| stats min(test) as min max(test) as max
0 Karma

Legend

[UPDATED ANSWER]
Since min() on multi-valued field is applying lexicographical order (treating the numbers as string).
One approach would be to pad zeros to the values using rex (I have added 10 zeros to example below, you can add/remove as per your needs). Then apply min(). Finally, using ltrim() remove padded zeros from left.

Please try out and confirm.

| makeresults 
| eval h="10,9,70,100" 
| makemv delim="," h 
| rex mode=sed field=h "s/(\d+)/0000000000\1/"
| eval smallest=trim(min(h),"0")

@nawazns5038 just pipe | eval smallest=min(h) to your existing search.

| makeresults 
| eval h="1234,1" 
| makemv delim="," h
| eval smallest=min(h)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Builder

Hi @niketnilay , It does not work , please look into the following example and run the below query . I think it sorts lexicographically

| makeresults 
 | eval h="10, 9, 70, 100 " 
 | makemv delim="," h
 | eval smallest=max(h)

The query result would be 9 but not 100. The min(h) would show as 10 instead of 9.

0 Karma

Path Finder

I think its the white space that's creating an issue.
Try below

| makeresults
| eval h="10, 9, 70, 100"
| rex mode=sed field=h "s/ //g"
| makemv delim="," h
| eval smallest=min(h)

0 Karma

Legend

@nawazns5038 what is your existing query which gives you multivalue field? Is it because of stats or directly from your data or multi-valued field extraction like rex.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Builder

@niketnilay , the values are coming from a lookup , so for one field value in splunk there are multiple matches and the matches come in a multivalue value after we do the lookup command , I want the lowest or the highest of the multivalue field values.

0 Karma

Legend

@nawazns5038 have you tried the updated query?

<yourCurrentSearchReturningMultiValueField_h>
 | rex mode=sed field=h "s/(\d+)/0000000000\1/"
 | eval smallest=trim(min(h),"0")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!