This works for me to treat the results as numbers:
| makeresults | eval test="10, 9, 70, 100" | makemv delim="," test | rex field=test "(?<test_nums>\d+)" | stats min(test_nums) as min max(test_nums) as max
Since min() on multi-valued field is applying lexicographical order (treating the numbers as string).
One approach would be to pad zeros to the values using rex (I have added 10 zeros to example below, you can add/remove as per your needs). Then apply
min(). Finally, using ltrim() remove padded zeros from left.
Please try out and confirm.
| makeresults | eval h="10,9,70,100" | makemv delim="," h | rex mode=sed field=h "s/(\d+)/0000000000\1/" | eval smallest=trim(min(h),"0")
@nawazns5038 just pipe
| eval smallest=min(h) to your existing search.
| makeresults | eval h="1234,1" | makemv delim="," h | eval smallest=min(h)
Hi @niketnilay , It does not work , please look into the following example and run the below query . I think it sorts lexicographically
| makeresults | eval h="10, 9, 70, 100 " | makemv delim="," h | eval smallest=max(h)
The query result would be 9 but not 100. The
min(h) would show as 10 instead of 9.
@nawazns5038 what is your existing query which gives you multivalue field? Is it because of stats or directly from your data or multi-valued field extraction like rex.
@niketnilay , the values are coming from a lookup , so for one field value in splunk there are multiple matches and the matches come in a multivalue value after we do the lookup command , I want the lowest or the highest of the multivalue field values.
@nawazns5038 have you tried the updated query?
<yourCurrentSearchReturningMultiValueField_h> | rex mode=sed field=h "s/(\d+)/0000000000\1/" | eval smallest=trim(min(h),"0")