Usage Of Splunk EVAL Function : MVMAP

Usage Of Splunk EVAL Function : MVMAP

● This function takes maximum two (X,Y) arguments.
X can be a multi-value expression or any multi value field or it can be any single value field.
Y can be constructed using expression.

Find below the skeleton of the usage of the function “mvmap” with EVAL :

….. | eval NEW_FIELD=mvmap(X,Y)

Example 1:

index=_internal sourcetype="splunkd_ui_access" 
| stats values(status) as status by method 
| eval new=mvmap(status,status*10)

Result:


Explanation:
In the above query status and method both are existing fields of _internal index and sourcetype name is splunkd_ui_access. Using values function with stats command we have created one multi-value field. At last we have used mvmap function to multiply each value of status field by 10 in the new field.

NOTE: In stead of multiplication you can do any kind of mathematical calculation using mvmap.

Example 2:

index=_internal sourcetype="splunkd_ui_access"
| table status bytes
| eval new=mvmap(status,status+bytes)

Result:


Explanation:
In the above query status and bytes both are existing fields of _internal index and sourcetype name is splunkd_ui_access. At 1st we took them in a tabular format. Then we added each status value with bytes. Where both are the single value fields.

Example 3:

index=_internal sourcetype="splunkd_ui_access"
| stats values(status) as status by bytes
|eval new=mvmap(status,status*bytes)

Result:


Explanation:
In the above query status and bytes both are existing fields of _internal index and sourcetype name is splunkd_ui_access.Here we have created a multi-value field called status using values function with stats command and bytes is a single valued field. At last we have used mvmap to multiply all the values of status with bytes value.

You can also know about :  Usage Of Splunk Eval Function: MVRANGE

Example 4:

index=_internal sourcetype="splunkd_ui_access"
| stats values(status) as status by method
| eval new=mvmap(mvindex(status,0,2),status*10)

Result:


Explanation:
In the above query status and method both are existing fields of _internal index and sourcetype name is splunkd_ui_access.Here we have created a multivalued field called status using values function with stats command and method is a single valued field. As we explained at the top that in place of (X) you can use any expression which can result in any multi-valued field as we did here.using mvindex we pick 1st three values of each status field and then using mvmap multiplied by 10.

If you don’t know about the usage of mvindex function then click here.

NOTE: In the case of mvmap it only deals with numeric fields.

Now you can effectively utilize the “mvmap” function with the “eval” command to meet your requirement .
Hope you are now comfortable in : Usage of Splunk EVAL Function : MVMAP

Happy Splunking !!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.