Usage of Splunk EVAL Function : MVZIP
Usage of Splunk EVAL Function : MVZIP
- This function takes maximum 3 arguments ( X,Y,Z)
- X and Y will be multi-value fields and Z is the delimiter.
- This function combines the values of multi-value fields, 1st value of X with the 1st value of Y , 2nd with 2nd and so on.
- Z is optional argument. By default delimiter is comma.
Find below the skeleton of the usage of the function “mvzip” with EVAL :
….. | eval NEW_FIELD=mvzip(X,Y, “Z” )
Example 1:
index=_internal sourcetype=splunkd_ui_access
| stats values(method) as method , values(status) as status
| eval New_Field=mvzip(method,status)
Result:
Explanation:
In the above query status and method both are existing fields in _internal index and sourcetype name is splunkd_ui_access. Using values function with stats command we have created two multi-value fields. Now status and method both field have become multi-value field. At last we have used mvzip function to combine the values of multi-value fields and stored the values in a new field called New_Field . In the result it is showing values only for those positions where both in the method and status field values are present. Here by default delimiter is comma.
********************************************************************************
Example 2:
index=_internal sourcetype=splunkd_ui_access
| stats values(method) as method , values(status) as status
| eval New_Field=mvzip(method,status, “/” )
Result:
Explanation:
In the above query status and method both are existing fields in _internal index and sourcetype name is splunkd_ui_access. Using values function with stats command we have created two multi-value fields. Now status and method both field have become multi-value field. At last we have used mvzip function to combine the values of multi-value fields and stored the values in a new field called New_Field . In the result it is showing values only for those positions where both in the method and status field values are present.. Here the values will be separated by “/” sign because we have used “/” sign as a delimeter.
Now you can effectively utilize “mvzip” function with “eval” command to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk EVAL Function : MVZIP
HAPPY SPLUNKING !!