Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract from multivalue field result

Noob_splunker
Explorer
‎07-05-2020 03:39 PM

Hi,

Below is the result from my transaction command. How do I extract only one date from the  multiple dates below?
I only need the first one which is 2020-07-05 22:02:01.
 
 
2020-07-05 22:02:01
2020-07-05 22:02:36
2020-07-05 22:02:58
2020-07-06 03:02:41
 

extract.PNG

 

I tried mvindex and split but it doesnt give me a result.

 

Thanks,

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-05-2020 07:41 PM

@Noob_splunker,

It looks like your field name is the culprit.

Try renaming the field it to start with a letter.

| rename 4G_OutageStart as FG_OutageStart
| eval firstValue=mvindex(FG_OutageStart,0)

 

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-05-2020 07:41 PM

@Noob_splunker,

It looks like your field name is the culprit.

Try renaming the field it to start with a letter.

| rename 4G_OutageStart as FG_OutageStart
| eval firstValue=mvindex(FG_OutageStart,0)

 

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

Noob_splunker
Explorer
‎07-05-2020 09:29 PM

yup it worked after i renamed it! thanks much!

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎07-05-2020 07:56 PM

Surrounding fields with single quotes ' will ensure eval command works with field names that start with numbers or have spaces in, as in my example

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-05-2020 08:38 PM

Yes sure

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎07-05-2020 05:45 PM

Split and mvindex should work, try this

| makeresults
| eval 4G_OutageStart="2020-07-05 22:02:01,2020-07-05 22:02:36,2020-07-05 22:02:58,2020-07-06 03:02:41"
| eval 4G_OutageStart=split('4G_OutageStart',",")
| eval DataPoints=mvcount('4G_OutageStart')
| eval FirstDateTime=mvindex('4G_OutageStart',0,0)

If things are not working, it may be that your data looks like an MV field, but is not. You can check with the mvcount eval statement I included above.  

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...