I am using the transaction command to sessionize web access log events and therefore have made referer, uri etc. into multivalue fields. How do I report on the first value of referer? The second page visited? The exit page?
You can use the mvindex eval function that's described in: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions
As an example: ... | eval second_uri = mvindex(uri, 1) | ...
View solution in original post
hulahoop, the field value ordering is controlled by the "mvlist" parameter of the "transaction" command: http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction
Very cool! Are mv fields sorted by time in a transaction?
