Splunk Search

Finding the length of multivalue/singlevalue field

smanojkumar
Contributor

Hello There,

    I would like to pass two diffrent values as a token, the search consists of code as a token, where code field can be single values or with multiple values, we need to calculate the length and if the length is equal to 1, then we need pass value_1., if the length is greater than 1, then we need to pass value_2 in a new token,

index=03_f123456 sourcetype=logs*  (CODE IN ($code$))
| eval x=len($code$)
| eval y=if(x=1,"value_1",value_2")
|dedup y |table y


Thanks in advance!

Tags (1)
0 Karma
1 Solution

zksvc
Communicator

Hi @smanojkumar  

Then you can solve it with that query ?
if it helpful maybe you can mark as solve and will be appreciate if give me karma.

because if you mark it as solve, it will help for another user who have same problem

View solution in original post

smanojkumar
Contributor

Hello @zksvc ,

   Thanks for your prompt response and Thanks for your time!

    It works but my token value will be enclosed with  ("token_value"), 

Lets say token and results can be

Token                             Result             Reason
("*")                                  value_1         Since the length of "*" is 1, we need pass value1
( "abc")                           value_2         Since the length of "abc" is 3, we need pass value2
("ajd","abc","sd")         value_2         Since the length of "ajd" is 3, we need pass value2

The purpose of this is, My use case is to find wheather the token consists of "*" in it or not, Since its a inputdropdown of multivalue field, If i use mv commands it only works for multivalues but at some cases we will be getting single value from the input dropdown, So i need a condition to work in both the cases.


Thanks!

0 Karma

zksvc
Communicator

Hi @smanojkumar 

According in your information what if we create new field, let say max_length. put that field in condition then run the query like this

index=03_f123456 sourcetype=logs* (CODE IN ($code$))
| eval code_list = split(trim("($code$)", "()"), ",")                    
| eval lengths = mvmap(code_list, len(trim('code_list', '"')))           
| eval max_length = if(mvfind(lengths, 1) >= 0, "value_1", "value_2")   
| table code_list max_length

 

Let me know if it works

 

Danke!

 

 

 

0 Karma

smanojkumar
Contributor

Hello @zksvc ,

    Thanks again!

    I'm facing error in this line "unbalanced quotes"

| eval lengths = mvmap(code_list, len(trim('code_list', '"')))   

So ihave modified this as 
| eval lengths = mvmap(code_list, len(trim('code_list', "\"")))


though eval is not accepting "*" as a token value in code.

Thanks!

0 Karma

zksvc
Communicator

Hi @smanojkumar  

Then you can solve it with that query ?
if it helpful maybe you can mark as solve and will be appreciate if give me karma.

because if you mark it as solve, it will help for another user who have same problem

zksvc
Communicator

Hi @smanojkumar 

Maybe you can try this 

index=03_f123456 sourcetype=logs* (CODE IN ($code$))
| eval code_list=split("$code$", ",") 
| eval x=mvcount(code_list) 
| eval y=if(x==1, "value_1", "value_2") 
| dedup y | table y

 

Let me know if it works

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...