Splunk Search

Eval on Multi Valued Fields

Hazel
Communicator

Hello,

I currently have a query that returns a set of results, with a port number and then multiple values of a url for each port like so:

Port    URL
5170    1
        2
        3
5270    4
        5
        6

I want to use this to generate more results. I need another field based on the answers to URL. E.g, creating a status field, based on the results of URL. Something like

 eval status = if(match(URL,"2"),"Yes","No") 

However, if you do an eval on URL, it just takes the first of the values and evaluating it, ignoring the 2nd and third values. So i'd want it to check the 1st one (1), answer would be No, check second one (2) answer would be Yes, check third one answer (3) would be No.

If there any way to run an eval over multi valued fields?

Thanks Hazel

Tags (2)
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

There are a couple eval functions that address the case of multivalued fields (http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions). You should specifically look at the ones that start with "mv". In your specific case, you'll probably want to search:

... | eval status = if(mvcount(mvfilter(match(URL,"2"))) > 0, "Yes", "No")

That said, you should be able to use "==" or match directly in eval. Both of these should return true if any of the multivalues is equal or matches. This can be tested using a search like:

| stats count | eval count = "a b c" | makemv count | eval status=if(count == "b", 1, 0)
| stats count | eval count = "a b c" | makemv count | eval status=if(match(count,"b"), 1, 0)

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

There are a couple eval functions that address the case of multivalued fields (http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions). You should specifically look at the ones that start with "mv". In your specific case, you'll probably want to search:

... | eval status = if(mvcount(mvfilter(match(URL,"2"))) > 0, "Yes", "No")

That said, you should be able to use "==" or match directly in eval. Both of these should return true if any of the multivalues is equal or matches. This can be tested using a search like:

| stats count | eval count = "a b c" | makemv count | eval status=if(count == "b", 1, 0)
| stats count | eval count = "a b c" | makemv count | eval status=if(match(count,"b"), 1, 0)

Hazel
Communicator

Thankyou! This works 🙂

0 Karma
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...