Usage of Splunk EVAL Function : MVAPPEND
Usage of Splunk EVAL Function : MVAPPEND
- This function takes multiple arguments.
- So arguments may be strings , multi-value fields or any single value fields.
- This function returns a multi-value result taking all the values of the arguments.
Find below the skeleton of the usage of the function “mvappend” with EVAL :
….. | eval NEW_FIELD=mvappend(X,Y,Z……. )
Example:
index=_internal sourcetype=splunkd_ui_access
| table date_minute,date_second,date_hour,method
| dedup date_minute,date_second,date_hour,method
| eval New_Field=mvappend(date_minute,date_second,date_hour,method)
Result:
*************************************************************************************
Explanation:
In the above query date_minute,date_second,date_hour and method all are existing fields in _internal index and sourcetype name is splunkd_ui_access. We have taken all the fields in a tabular format by table command and removed duplicate values with the help of dedup command.At last by mvappend function with eval function we have appended all the values of existing fields row wise and store the values in a new field called New_Field. New_Field will be a multi-value field.
Now you can effectively utilize “mvappend” function with “eval” command to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk EVAL Function : MVAPPEND
HAPPY SPLUNKING !!