Spread our blog

Usage of Splunk EVAL Function: MVINDEX

We have gone through lots of  “Splunk Eval Command“. Now, in this post we are going to talk about Multi value Splunk Eval Function called MVINDEX

Usage of Splunk EVAL Function: MVINDEX :

• This function takes two or three arguments( X,Y,Z)
• X will be a multi-value field, Y is the start index and Z is the end index.
• Y and Z can be a positive or negative value.
• This function returns a subset field of a multi-value field as per given start index and end index.
• If the given indexes are out of range or invalid then it returns null.
• Z is required but Y is optional. If you don’t specify any start index value by default it takes 0.

Find below the skeleton of the usage of the function “mvindex” with EVAL :
….. | eval NEW_FIELD=mvindex(X,Y,Z)

Example 1:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status by method
| eval New_Field=mvindex(status,2)

Result:

mvi1

mvi2

Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a mutivalue field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here don’t specify any start index so by default mvindex function takes start index as . Also, we have specified end index as 2 so it will take only 3rd value from the multi-value field. Always counting of indexes will start from the 0th position in the multivalue field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.

****************************************************************************

You can also know about :  Usage Of Splunk EVAL Function : MVMAP

Example 2:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status by method
| eval New_Field=mvindex(status,1,2)

Result:

mvi3

mvi4

Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a mutivalue field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here we have specified start index as 1 and end index as 2 so it will take 2nd and 3rd value from the multi-value field. Always counting of indexes will start from the 0th position in the multivalue field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.

*************************************************************************

Example 3:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status by method
| eval New_Field=mvindex(status,-2)

Result:

mvi5

mvi6

Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a mutivalue field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here we have specified only end index as -2 so it will take only 2nd last value from the multi-value field. Always counting of indexes will start from the 0th position in the multivalue field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.

***************************************************************************

You can also know about :  Comparison and conditional Function: CIDRMATCH

Example 4:

index=_internal sourcetype=splunkd_ui_access
| stats values(status) as status by method
| eval New_Field=mvindex(status,1,-2)

Result:

mvi7

mvi8

Explanation:
In the above query status and method, both are existing field names in _internal index and sourcetype name is splunkd_ui_access. By values function with stats command, we have created a mutivalue field called status. At last, we have used mvindex function with eval command to take the values from the multi-value field. Here we have specified start index as 1 and end index as -2 so it will take 2nd value from the top to 2nd last value from the multi-value field.Always counting of indexes will start from the 0th position in the multivalue field. We store the output of mvindex function in a new field called New_Field. For method equal to “DELETE” and “HEAD” the given index is out of range so it will return Null as output.

Now you can effectively utilize “mvindex” function with Splunk Eval Command to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk EVAL Function: MVINDEX

HAPPY SPLUNKING !!

What’s your Reaction?
+1
1
+1
2
+1
9
+1
+1
3
+1
+1

Spread our blog
Previous articleUsage of Splunk EVAL Function :TOSTRING
Next articleIndex time Vs Search time Processing
Passionate content developer dedicated to producing result-oriented content, a specialist in technical and marketing niche writing!! Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. It believes in offering insightful, educational, and valuable content and it's work reflects that.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here