At last we have used mvzip function to combine the values of multi-value fields and stored the values in a new field called New_Field. Now status and method both field have become multi-value field. Using values function with stats command we have created two multi-value fields. In the above query status and method both are existing fields in _internal index and sourcetype name is splunkd_ui_access. In the result it is showing values only for those positions where both in the method and status field values are present.
By default delimiter is comma.įind below the skeleton of the usage of the function “mvzip” with EVAL :Įxample 1: index=_internal sourcetype=splunkd_ui_access | stats values(method) as method, values(status) as status | eval New_Field=mvzip(method,status)
This function takes maximum 3 arguments ( X,Y,Z).Now you can effectively utilize the “mvmap” function with the “eval” command to meet your requirement. NOTE:In the case of mvmap it only deals with numeric fields. If you don’t know about the usage of mvindex function then click here. As we explained at the top that in place of ( X) you can use any expression which can result in any multi-valued field as we did ing mvindex we pick 1st three values of each status field and then using mvmap multiplied by 10. In the above query status and method both are existing fields of _internal index and sourcetype name is splunkd_ui_access.Here we have created a multivalued field called status using values function with stats command and method is a single valued field. You can also know about : Usage of Splunk EVAL Function : SEARCHMATCHĮxample 4: index=_internal sourcetype="splunkd_ui_access" | stats values(status) as status by method | eval new=mvmap(mvindex(status,0,2),status*10) At last we have used mvmap to multiply all the values of status with bytes value. In the above query status and bytes both are existing fields of _internal index and sourcetype name is splunkd_ui_access.Here we have created a multi-value field called status using values function with stats command and bytes is a single valued field. Where both are the single value fields.Įxample 3: index=_internal sourcetype="splunkd_ui_access" | stats values(status) as status by bytes |eval new=mvmap(status,status*bytes) Then we added each status value with bytes. In the above query status and bytes both are existing fields of _internal index and sourcetype name is splunkd_ui_access. NOTE: In stead of multiplication you can do any kind of mathematical calculation using mvmap.Įxample 2: index=_internal sourcetype="splunkd_ui_access" | table status bytes | eval new=mvmap(status,status+bytes) At last we have used mvmap function to multiply each value of status field by 10 in the new field. Using values function with stats command we have created one multi-value field. In the above query status and method both are existing fields of _internal index and sourcetype name is splunkd_ui_access. | eval NEW_FIELD=mvmap(X,Y)Įxample 1: index=_internal sourcetype="splunkd_ui_access" | stats values(status) as status by method | eval new=mvmap(status,status*10) X can be a multi-value expression or any multi value field or it can be any single value field.įind below the skeleton of the usage of the function “mvmap” with EVAL : ….This function takes maximum two ( X,Y) arguments.
0 kommentar(er)
