Usage of Splunk EVAL Function: MVINDEX
We have gone through lots of “Splunk Eval Command“. Now, in this post we are going to talk about Multi value Splunk Eval Function called MVINDEX
Usage of Splunk EVAL Function: MVINDEX :
• This function takes two or three arguments( X,Y,Z)
• X will be a multi-value field, Y is the start index and Z is the end index.
• Y and Z can be a positive or negative value.
• This function returns a subset field of a multi-value field as per given start index and end index.
• If the given indexes are out of range or invalid then it returns null.
• Z is required but Y is optional. If you don’t specify any start index value by default it takes 0.
Find below the skeleton of the usage of the function “mvindex” with EVAL :
….. | eval NEW_FIELD=mvindex(X,Y,Z)
Example 1:
index=_internal sourcetype=splunkd_ui_access| stats values(status) as status by method| eval New_Field=mvindex(status,2)
Result:
Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a muti–value field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here don’t specify any start index so by default mvindex function takes start index as . Also, we have specified end index as 2 so it will take only 3rd value from the multi-value field. Always counting of indexes will start from the 0th position in the multi–value field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.
****************************************************************************
Example 2:
index=_internal sourcetype=splunkd_ui_access| stats values(status) as status by method| eval New_Field=mvindex(status,1,2)
Result:
Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a muti–value field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here we have specified start index as 1 and end index as 2 so it will take 2nd and 3rd value from the multi-value field. Always counting of indexes will start from the 0th position in the multi–value field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.
*************************************************************************
Example 3:
index=_internal sourcetype=splunkd_ui_access| stats values(status) as status by method| eval New_Field=mvindex(status,-2)
Result:
Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a muti–value field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here we have specified only end index as -2 so it will take only 2nd last value from the multi-value field. Always counting of indexes will start from the 0th position in the multi–value field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.
***************************************************************************
Example 4:
index=_internal sourcetype=splunkd_ui_access| stats values(status) as status by method| eval New_Field=mvindex(status,1,-2)
Result:
Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a muti–value field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here we have specified start index as 1and end index as -2 so it will take 2nd value from the top to 2nd last value from the multi-value field.Always counting of indexes will start from the 0th position in the multi–value field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.
Now you can effectively utilize “mvindex” function with Splunk Eval Command to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk EVAL Function: MVINDEX
HAPPY SPLUNKING !!
What’s your Reaction?
+1
1
+1
2
+1
9
+1
+1
3
+1
+1
