Usage of Splunk EVAL Function : MVCOUNT

Usage of Splunk EVAL Function : MVCOUNT

Usage of Splunk EVAL Function : MVCOUNT

  • This function takes single argument ( X ).
  • So argument may be any multi-value field or any single value field.
  • If X is a multi-value field, it returns the count of all values within the field.
  • If X is a single value-field , it returns count 1 as a result.
  • If field has no values , it will return NULL.

Find below the skeleton of the usage of the function “mvcount” with EVAL :

….. | eval NEW_FIELD=mvcount(X )

Example 1:

For multi-value field:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status
| eval New_Field=mvcount(status)

 

Result:

mvcount

Explanation:

In the above query status is an existing field in _internal index and sourcetype name is splunkd_ui_access. Using values function with stats command we have created a multi-value field. Now status field becomes a multi-value field. At last we have used mvcount function to compute the count of values in status field and store the result in a new field called New_Field. As you can see in image in status field 6 values are coming so the result will show 6 in New_Field.

************************************************************************************

Example 2:

For single-value field :

index=_internal sourcetype=splunkd_ui_access
| table status
| dedup status
| eval New_Field=mvcount(status)

 

Result:

mvcount1

Explanation:

In the above query status is an existing field in _internal index and sourcetype name is splunkd_ui_access. By table command we have taken the values of status field in a tabular format and by the dedup command we have removes duplicate values from the result set. At last we have used mvcount function to compute the count of values in status field and store the result in a new field called New_Field. As status is a single-value field so it will return 1 every time as a result.

Now you can effectively utilize “mvcount” function with “eval” command to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk EVAL Function : MVCOUNT

 

HAPPY SPLUNKING !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.