Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Multivalue eval functions

The following list contains the functions that you can use on multivalue fields or to return multivalue fields.

You can also use the statistical eval functions, such as max, on multivalue fields. See Statistical eval functions.

For information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 eval functions.

mvappend(<values>)

This function returns a single multivalue result from a list of values.

Usage

The values can be strings, multivalue fields, or single value fields.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Examples

Specifying literals and field names

This example shows how to append the literal value localhost to the values in the srcip field. The results are placed in a new multivalue field called ipaddresses:

... | eval ipaddresses=mvappend("localhost", srcip)

Nested mvappend functions

This example shows how to use nested mvappend functions.

  • The inner mvappend function contains two values: localhost is a literal string value and srcip is a field name.
  • The outer mvappend function contains three values: the inner mvappend function, destip is a field name, and 192.168.1.1 which is a literal IP address.

... | eval ipaddresses=mvappend(mvappend("localhost", srcip), destip, "192.168.1.1")

The results are placed in a new field called ipaddresses which contains the array ["localhost", <values_in_srcip>, <values_in_destip>, "192.168.1.1"].

mvcount(<mv>)

This function takes a multivalue field and returns a count of the values in that field.

Usage

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

If the field contains a single value, this function returns 1. If the field has no values, this function returns NULL.

Basic example

... | eval n=mvcount(myfield)

Extended example

In the following example, the mvcount() function returns the number of email addresses in the To, From, and Cc fields and saves the addresses in the specified "_count" fields.

eventtype="sendmail" | eval To_count=mvcount(split(To,"@"))-1 | eval From_count=mvcount(From) | eval Cc_count= mvcount(split(Cc,"@"))-1

This search takes the values in the To field and uses the split function to separate the email address on the @ symbol. The split function is also used on the Cc field for the same purpose.

If only a single email address exists in the From field, as you would expect, mvcount(From) returns 1. If there is no Cc address, the Cc field might not exist for the event. In that situation mvcount(cc) returns NULL.

mvdedup(<mv>)

This function takes a multivalue field and returns a multivalue field with the duplicate values removed.

Usage

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Example

... | eval s=mvdedup(myfield)


mvfilter(<predicate>)

This function filters a multivalue field based on a predicate expression. The expression can reference only one field.

Usage

This function will return NULL values of the field x as well. If you do not want the NULL values, use one of the following expressions:

  • mvfilter(!isnull(x))
  • mvfilter(isnotnull(x))

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Example

The following example returns all of the values in the email field that end in .net or .org.

... | eval n=mvfilter(match(email, "\.net$") OR match(email, "\.org$"))

mvfind(<mv>, <regex>)

This function returns the index for the first value in a multivalue field that matches a regular expression. The index begins with zero. If no values match, NULL is returned.

Usage

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Example

... | eval n=mvfind(myfield, "err\d+")

mvindex(<mv>, <start>, <end>)

This function returns a subset of the multivalue field using the start and end index values.

Usage

The <mv> argument must be a multivalue field. The <start> and <end> indexes must be numbers.

The <mv> and <start> arguments are required. The <end> argument is optional.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Specifying the start and end indexes

  • Indexes start at zero. If you have 5 values in the multivalue field, the first value has an index of 0. The second value has an index of 1, and so on.
  • If only the <start> argument is specified, only that value is included in the results.
  • When the <end> argument is specified, the range of values from <start> to <end> are included in the results.
  • Both the <start> and <end> arguments can be negative. An index of -1 is used to specify the last value in the list.
  • If the indexes are out of range or invalid, the result is NULL.

Examples

Consider the following values in a multivalue field called names:

Name alex celestino claudia david ikraam nyah rutherford wei
index number 0 1 2 3 4 5 6 7

Because indexes start at zero, the following example returns the value claudia:

... | eval my_names=mvindex(names,2)

To return a range of values, specify both a start and end value. For example, the following search returns the first 4 values in the field. The start value is 0 and the end value is 3.

... | eval my_names=mvindex(names,0,3)

The results look like this:

my_names
alex,celestino,claudia,david

Extended examples

Consider the following values in a multivalue field:

ponies
buttercup, dash, flutter, honey, ivory, minty, pinky, rarity

To return a value from the end of the list of values, the index numbers start with -1. The negative symbol indicates that the indexing starts from the last value. For example:

Pony name buttercup dash flutter honey ivory minty pinky rarity
index number -8 -7 -6 -5 -4 -3 -2 -1


To return the last value in the list, you specify -1, which indicates to start at the end of the list and return only one value. For example:

... | eval my_ponies=mvindex(ponies,-1)

The results look like this:

my_ponies
rarity

To return the 3rd value from the end, you would specify the index number -3. For example:

... | eval my_ponies=mvindex(ponies,-3)

The results look like this:

my_ponies
minty

To return a range of values, specify both a start and end value. For example, the following search returns the last 3 values in the field. The start value is -3 and the end value is -1.

... | eval my_ponies=mvindex(ponies, -3, -1)

The results look like this:

my_ponies
minty,pinky,rarity

mvjoin(<mv>,<delim>)

This function takes two arguments, a multivalue field and a string delimiter. The function concatenates the individual values within the multivalue field using the value of the delimiter as a separator.

Usage

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Examples

You have a multivalue field called "base" that contains the values "1" "2" "3" "4" "5". The values are separated by a space. You want to create a single value field instead, with OR as the delimiter. For example "1 OR 2 OR 3 OR 4 OR 5".

The following search creates the base field with the values. The search then creates the joined field by using the result of the mvjoin function.

... | eval base=mvrange(1,6), joined=mvjoin('base'," OR ")

The following example joins together the individual values in the "myfield" field using a semicolon as the delimiter:

... | eval n=mvjoin(myfield, ";")


mvmap(<mv>,<expression>)

Description

This function iterates over the values of a multivalue field and performs an operation on each value. The function returns a multivalue field with the list of results.

Usage

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Basic examples

The following example multiplies each value in the results field by 10.

... | eval n=mvmap(results, results*10)


The following example multiplies each value in the results field by threshold, where threshold is a single-valued field.

... | eval n=mvmap(results, results*threshold)


The following example multiplies the 2nd and 3rd values in the results field by threshold, where threshold is a single-valued field. This example uses the mvindex function to identify specific values in the results field.

... | eval n=mvmap(mvindex(results, 1,2), results*threshold)

mvrange(<start>, <end>, <step>)

This function creates a multivalue field based on a range of specified numbers.

Usage

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

The step increment is optional. If the <step> increment is a timespan such as 7d, the starting and ending numbers are treated as UNIX time.

The <end> number is not included from the multivalue field that is created.

Examples

The following example returns a multivalue field with the values 1, 3, 5, 7, 9.

... | eval mv=mvrange(1,11,2)


The following example takes the UNIX timestamp for 1/1/2018 as the start date and the UNIX timestamp for 4/19/2018 as an end date and uses the increment of 7 days.

| from [{}] | eval mv=mvrange(1514834731,1524134919,"7d")

This example returns a multivalue field with the UNIX timestamps. The results look like this:

Field Value
mv 1546370743, 1546975543, 1547580343, 1548185143, 1548789943, 1549394743, 1549999543, 1550604343, 1551209143, 1551813943, 1552418743, 1553023543, 1553628343, 1554233143, 1554837943, 1555442743

mvsort(<mv>)

This function takes a multivalue field and returns a multivalue field with the values sorted lexicographically.

Usage

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.

  • Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
  • Uppercase letters are sorted before lowercase letters.
  • Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.

See Lexicographical order.

Example

... | eval s=mvsort(myfield)


mvzip(<mv_left>, <mv_right>, <delim>)

This function combines the values in two multivalue fields. The delimiter is used to specify a delimiting character to join the two values.

Usage

This is similar to the Python zip command.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

The values are stitched together the first value of <mv_left> with the first value of field <mv_right>, then the second with the second, and so on.

The delimiter is optional. The default delimiter is a comma ( , ).

Basic example

... | eval nserver=mvzip(hosts, ports)

Extended example

You can nest several mvzip functions together to create a single multivalue field. In this example, the field three_fields is created from three separate fields. The pipe ( | ) character is used as the separator between the field values.

...| eval three_fields=mvzip(mvzip(field1,field2,"|"),field3,"|")

(Thanks to Splunk user cmerriman for this example.)

mv_to_json_array(<field>, <infer_types>)

This function maps the elements of a multivalue field to a JSON array.

Usage

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Because the elements of JSON arrays can have many data types (such as string, numeric, Boolean, and null), the mv_to_json_array function lets you specify how it should map the contents of multivalue fields into JSON arrays. You can have the field values simply written to arrays as string data types, or you can have the function infer different JSON data types.

Use the <infer_types> input to specify that the mv_to_json_array function should attempt to infer JSON data types when it converts field values into array elements. The <infer_types> input defaults to false.

Syntax Description
mv_to_json_array(<field>, false()) or
mv_to_json_array(<field>)
By default, or when you explicitly set it to false(), the mv_to_json_array function maps all values in the multivalued field to the JSON array as string data types, whether they are numeric, strings, Boolean values, or any other JSON data type. The mv_to_json_array function effectively splits the multivalue field on the comma and writes each quote-enclosed value to the array as an element with the string data type.
mv_to_json_array(<field>, true()) When you set the mv_to_json_array function to true(), the function removes one set of bracketing quote characters from each value it transfers into the JSON array. If the function does not recognize the resulting array element as a proper JSON data type (such as string, numeric, Boolean, or null), the function turns the element into a null data type.

Example

This example shows you how the mv_to_json_array function can validate JSON as it generates JSON arrays.

This search creates a multivalue field named ponies.

... | eval ponies = mvappend("\"Buttercup\"", "\"Fluttershy\"", "\"Rarity\"", "true", "null"),

The array that is created from these values depends on the <infer_types> input.

Without inferring data types

When <infer_types> is set to false or omitted, the mv_to_json_array function converts the field values into array elements without changing the values.

... | eval my_sweet_ponies = mv_to_json_array(ponies, false())

The resulting array looks like this:
["\"Buttercup\"","\"Fluttershy\"","\"Rarity\"","true","null"]

With inferring data types

When you run this search with infer_values set to true(), the mv_to_json_array function removes the extra quote and backslash escape characters from the field values when the values are converted into array elements.

... | eval my_sweet_ponies = mv_to_json_array(ponies, true())

The resulting array looks like this:
["Buttercup","Fluttershy","Rarity",true,null]

split(<str>, <delim>)

This function splits the string values on the delimiter and returns the string values as a multivalue field.

Usage

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Example

The following search creates an event with a test field that contains a list of string values separated by semicolon characters ( ; ).

from repeat({},1) | eval _time=now() | eval test="buttercup;rarity;tenderhoof;dash;mcintosh;fleetfoot;mistmane"

The results look like this:

_time test
21:39:56PM

20 Sep 2022

buttercup;rarity;tenderhoof;dash;mcintosh;fleetfoot;mistmane

Use the split function to separate the names in the event into a multivalue field, using the semicolon as the delimiter:

from repeat({},1) | eval _time=now() | eval test="buttercup;rarity;tenderhoof;dash;mcintosh;fleetfoot;mistmane" | eval ponies=split(test,";")

The ponies field is a multivalue field and the results look like this:

_time ponies test
21:39:56PM

20 Sep 2022

buttercup

rarity
tenderhoof
dash
mcintosh
fleetfoot
mistmane

buttercup;rarity;tenderhoof;dash;mcintosh;fleetfoot;mistmane

See also

Function information
SPL2 eval functions Quick Reference
Overview of SPL2 eval functions
Naming function arguments in the SPL2 Search Manual
Last modified on 21 September, 2022
PREVIOUS
Mathematical functions
  NEXT
Statistical eval functions

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters