Usage of Splunk EVAL Function : MVDEDUP

Usage of Splunk EVAL Function : MVDEDUP

Usage of Splunk EVAL Function : MVDEDUP

  • This function takes single argument ( X ).
  • So X will be any multi-value field name.
  • This function removes the duplicate values from a multi-value field.

Find below the skeleton of the usage of the function “mvdedup” with EVAL :

….. | eval NEW_FIELD=mvdedup(X)

Example:

index=_internal sourcetype=splunkd_ui_access
| stats list(date_second) as date_second by method
| eval Unique_Value=mvdedup(date_second)

 

Result:

mvdedup

mvdedup1

Explanation:

In the above query method and date_second both are existing fields in _internal index and sourcetype name is splunkd_ui_access. We have used the list function to create a multi-value field. List function takes all value from a field and create a multi-value field with duplicate values.Now date_second field become a multi-value field. At last by mvdedup function with eval function we have removed duplicate values from the multi-value field and stored the values in a new field called Unique_Value. We are getting all unique values of date_second in Unique_Value field.

 

Now you can effectively utilize “mvdedup” function with “eval” command to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk EVAL Function : MVDEDUP

 

HAPPY SPLUNKING !!  

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.