Solved: Re: How can I use the eval function mvzip with 8 a...

leonheart78 · ‎08-22-2015

Trying to achieve the below:
eval x=mvzip(Title,Serial,beginTime,language,a1,a2,b1,b2)

How can I achieve this?
Thank you.

somesoni2 · ‎08-23-2015

Try like this

Your base search | eval x=mvzip(Title,mvzip(Serial,mvzip(beginTime,mvzip(language,mvzip(a1,mvzip(a2,mvzip(b1,b2)))))))

View solution in original post

gcato · ‎08-23-2015

Hi Leonheart78,

You can find some good answers here.

http://answers.splunk.com/answers/123887/how-to-expand-multiple-multivalue-fields.html
http://answers.splunk.com/answers/130571/three-are-more-multiple-value-for-mvzip.html

Potentially, a foreach loop could be used. For example

| noop | stats count as a | eval a=mvrange(1,3) | eval b=mvrange(3,6) | eval c=mvrange(6,8) | foreach a b c [ mvexpand <<FIELD>> ] | eval x="" 
 | foreach a b c [ eval x=mvzip(x, '<<FIELD>>') ] | rex mode=sed field=x "s/^,//"

    a   b   c   x
    1   3   6   1,3,6
    1   3   7   1,3,7
    1   4   6   1,4,6
    ...

The rex command strips the initial null x field value out again. Hope that helps.

jet1276 · ‎11-19-2018

This works like a charm. Thanks.

somesoni2 · ‎08-23-2015

Try like this

Your base search | eval x=mvzip(Title,mvzip(Serial,mvzip(beginTime,mvzip(language,mvzip(a1,mvzip(a2,mvzip(b1,b2)))))))

How can I use the eval function mvzip with 8 attributes?

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification