Usage of Splunk EVAL Function : MVZIP

Usage of Splunk EVAL Function : MVZIP

Usage of Splunk EVAL Function : MVZIP

  • This function takes maximum 3 arguments ( X,Y,Z)
  • X and Y will be multi-value fields and Z is the delimiter.
  • This function combines the values of multi-value fields, 1st value of X with the 1st value of Y , 2nd with 2nd and so on.
  • Z is optional argument. By default delimiter is comma.

Find below the skeleton of the usage of the function “mvzip” with EVAL :

….. | eval NEW_FIELD=mvzip(X,Y, “Z” )

Example 1:

index=_internal sourcetype=splunkd_ui_access
| stats values(method) as method , values(status) as status
| eval New_Field=mvzip(method,status)

 

Result:

mvzip

mvzip2

Explanation:

In the above query status and method both are existing fields in _internal index and sourcetype name is splunkd_ui_access. Using values function with stats command we have created two multi-value fields. Now status and method both field have become multi-value field. At last we have used mvzip function to combine the values of multi-value fields and stored the values in a new field called New_Field . In the result it is showing values only for those positions where both in the method and status field values are present. Here by default delimiter is comma.

********************************************************************************

Example 2:

index=_internal sourcetype=splunkd_ui_access
| stats values(method) as method , values(status) as status
| eval New_Field=mvzip(method,status, “/” )

 

Result:

mvzip1

mvzip3

Explanation:

In the above query status and method both are existing fields in _internal index and sourcetype name is splunkd_ui_access. Using values function with stats command we have created two multi-value fields. Now status and method both field have become multi-value field. At last we have used mvzip function to combine the values of multi-value fields and stored the values in a new field called New_Field . In the result it is showing values only for those positions where both in the method and status field values are present.. Here the values will be separated by “/” sign because we have used “/” sign as a delimeter.

Now you can effectively utilize “mvzip” function with “eval” command to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk EVAL Function : MVZIP

 

HAPPY SPLUNKING !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.