Usage of Splunk EVAL Function : MVDEDUP
Usage of Splunk EVAL Function : MVDEDUP
- This function takes single argument ( X ).
- So X will be any multi-value field name.
- This function removes the duplicate values from a multi-value field.
Find below the skeleton of the usage of the function “mvdedup” with EVAL :
….. | eval NEW_FIELD=mvdedup(X)
Example:
index=_internal sourcetype=splunkd_ui_access
| stats list(date_second) as date_second by method
| eval Unique_Value=mvdedup(date_second)
Result:
Explanation:
In the above query method and date_second both are existing fields in _internal index and sourcetype name is splunkd_ui_access. We have used the list function to create a multi-value field. List function takes all value from a field and create a multi-value field with duplicate values.Now date_second field become a multi-value field. At last by mvdedup function with eval function we have removed duplicate values from the multi-value field and stored the values in a new field called Unique_Value. We are getting all unique values of date_second in Unique_Value field.
Now you can effectively utilize “mvdedup” function with “eval” command to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk EVAL Function : MVDEDUP
HAPPY SPLUNKING !!
