Usage of Splunk EVAL Function : MVJOIN

Usage of Splunk EVAL Function : MVJOIN

Usage of Splunk EVAL Function : MVJOIN

  • This function takes two arguments ( X and Y)
  • So X will be any multi-value field name and Y will be delimiter.
  • This function concatenates all the values within X using the value of Y as a separator.

Find below the skeleton of the usage of the function “mvjoin” with EVAL :

….. | eval NEW_FIELD=mvjoin(X, “Y” )

Example:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status by method
| eval New_Field=mvjoin(status,“/”) 

 

Result:

 

mvjoin

mvjoin1

Explanation:

In the above query method and status both are existing fields in _internal index and sourcetype name is splunkd_ui_access. We have used the values function to create a multi-value field. Values function takes all value from a field and create a multi-value field with unique values.Now status field becomes a multi-value field. At last by mvjoin function with eval function we have concatenates all the values within status field using “/” sign as a delimiter and store the values in a  new field  called New_Field. In the New_Field you can see all the values of status field separated by “/” sign.

Now you can effectively utilize “mvjoin” function with “eval” command to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk EVAL Function : MVJOIN

 

HAPPY SPLUNKING !! 

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.