Usage of Splunk EVAL Function: MVINDEX

Usage of Splunk EVAL Function: MVINDEX

Usage of Splunk EVAL Function: MVINDEX
• This function takes two or three arguments( X,Y,Z)
• X will be a multi-value field, Y is the start index and Z is the end index.
• Y and Z can be a positive or negative value.
• This function returns a subset field of a multi-value field as per given start index and end index.
• If the given indexes are out of range or invalid then it returns null.
• Z is required but Y is optional. If you don’t specify any start index value by default it takes 0.

Find below the skeleton of the usage of the function “mvindex” with EVAL :
….. | eval NEW_FIELD=mvindex(X,Y,Z)

Example 1:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status by method
| eval New_Field=mvindex(status,2)

Result:

mvi1

mvi2

Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a mutivalue field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here don’t specify any start index so by default mvindex function takes start index as 0. Also, we have specified end index as 2 so it will take only 3rd value from the multi-value field. Always counting of indexes will start from the 0th position in the multivalue field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.

****************************************************************************

Example 2:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status by method
| eval New_Field=mvindex(status,1,2)

Result:

mvi3

mvi4

Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a mutivalue field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here we have specified start index as 1 and end index as 2 so it will take 2nd and 3rd value from the multi-value field. Always counting of indexes will start from the 0th position in the multivalue field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.

*************************************************************************

Example 3:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status by method
| eval New_Field=mvindex(status,-2)

Result:

mvi5

mvi6

Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a mutivalue field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here we have specified only end index as -2 so it will take only 2nd last value from the multi-value field. Always counting of indexes will start from the 0th position in the multivalue field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.

***************************************************************************

Example 4:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status by method
| eval New_Field=mvindex(status,1,-2)

Result:

mvi7

mvi8

Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a mutivalue field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here we have specified start index as 1 and end index as -2 so it will take 2nd value from the top to 2nd last value from the multi-value field.Always counting of indexes will start from the 0th position in the multivalue field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.

Now you can effectively utilize “mvindex” function with “eval” command to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk EVAL Function: MVINDEX

 

HAPPY SPLUNKING !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.