- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Finding the length of multivalue/singlevalue field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello There,
I would like to pass two diffrent values as a token, the search consists of code as a token, where code field can be single values or with multiple values, we need to calculate the length and if the length is equal to 1, then we need pass value_1., if the length is greater than 1, then we need to pass value_2 in a new token,
index=03_f123456 sourcetype=logs* (CODE IN ($code$))
| eval x=len($code$)
| eval y=if(x=1,"value_1",value_2")
|dedup y |table y
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @smanojkumar
Then you can solve it with that query ?
if it helpful maybe you can mark as solve and will be appreciate if give me karma.
because if you mark it as solve, it will help for another user who have same problem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @zksvc ,
Thanks for your prompt response and Thanks for your time!
It works but my token value will be enclosed with ("token_value"),
Lets say token and results can be
Token Result Reason
("*") value_1 Since the length of "*" is 1, we need pass value1
( "abc") value_2 Since the length of "abc" is 3, we need pass value2
("ajd","abc","sd") value_2 Since the length of "ajd" is 3, we need pass value2
The purpose of this is, My use case is to find wheather the token consists of "*" in it or not, Since its a inputdropdown of multivalue field, If i use mv commands it only works for multivalues but at some cases we will be getting single value from the input dropdown, So i need a condition to work in both the cases.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @smanojkumar
According in your information what if we create new field, let say max_length. put that field in condition then run the query like this
index=03_f123456 sourcetype=logs* (CODE IN ($code$))
| eval code_list = split(trim("($code$)", "()"), ",")
| eval lengths = mvmap(code_list, len(trim('code_list', '"')))
| eval max_length = if(mvfind(lengths, 1) >= 0, "value_1", "value_2")
| table code_list max_length
Let me know if it works
Danke!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @zksvc ,
Thanks again!
I'm facing error in this line "unbalanced quotes"
| eval lengths = mvmap(code_list, len(trim('code_list', '"'))) So ihave modified this as
| eval lengths = mvmap(code_list, len(trim('code_list', "\"")))
though eval is not accepting "*" as a token value in code.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @smanojkumar
Then you can solve it with that query ?
if it helpful maybe you can mark as solve and will be appreciate if give me karma.
because if you mark it as solve, it will help for another user who have same problem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @smanojkumar
Maybe you can try this
index=03_f123456 sourcetype=logs* (CODE IN ($code$))
| eval code_list=split("$code$", ",")
| eval x=mvcount(code_list)
| eval y=if(x==1, "value_1", "value_2")
| dedup y | table y
Let me know if it works
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
