The following example returns all of the values in the email field that end in. If you do not want the NULL values, use one of the following expressions: This function will return NULL values of the field x as well. See Predicate expressions in the SPL2 Search Manual. The expression can reference only one field. This function filters a multivalue field based on a predicate expression. This function takes a multivalue field and returns a multivalue field with the duplicate values removed. In that situation mvcount(cc) returns NULL. If there is no Cc address, the Cc field might not exist for the event. If only a single email address exists in the From field, as you would expect, mvcount(From) returns 1. The split function is also used on the Cc field for the same purpose. | eval Cc_count= search takes the values in the To field and uses the split function to separate the email address on the symbol. In the following example, the mvcount() function returns the number of email addresses in the To, From, and Cc fields and saves the addresses in the specified "_count" fields. | eval n=mvcount(myfield) Extended example If the field has no values, this function returns NULL. If the field contains a single value, this function returns 1. This function takes a multivalue field and returns a count of the values in that field. The results are placed in a new field called ipaddresses which contains the array.
| eval ipaddresses=mvappend(mvappend("localhost", srcip), destip, "192.168.1.1") The outer mvappend function contains three values: the inner mvappend function, destip is a field name, and 192.168.1.1 which is a literal IP address.The inner mvappend function contains two values: localhost is a literal string value and srcip is a field name.
Splunk join max how to#
This example shows how to use nested mvappend functions. | eval ipaddresses=mvappend("localhost", srcip) Nested mvappend functions The results are placed in a new multivalue field called ipaddresses: This example shows how to append the literal value localhost to the values in the srcip field. You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.Įxamples Specifying literals and field names The values can be strings, multivalue fields, or single value fields. This function returns a single multivalue result from a list of values. See Statistical eval functions.įor information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 eval functions. You can also use the statistical eval functions, such as max, on multivalue fields. The following list contains the functions that you can use on multivalue fields or to return multivalue fields.
0 kommentar(er)
