2 Solutions. First one uses only commands that should be in older versions of splunk: | makeresults
| eval test=split("abc,defgh,a,asdfasdfasdfasdf,igasfasd", ",")
| eval other_important_field="blah"
| mvexpand test
| eval length=len(test)
| eventstats max(length) as max_length, min(length) as min_length
| eval longest=if(length==max_length, test, null() ), shortest=if(length==min_length, test, null() )
| stats values(longest) as longest, values(shortest) as shortest, values(test) as test by _time other_important_field If like me you don't like the idea of using mvexpand (for instance because in some cases your multivalue can be empty) you can use this alternative: It's using the newish mvmap command to massage the multivalue and then the min/max statistical function that works with strings using alphabetical order. The use of printf ensures alphabetical and numerical order are the same. | makeresults
| eval test=split("abc,defgh,a,asdfasdfasdfasdf,igasfasd", ",")
| eval test2=mvmap(test, printf("%05d", len(test) ) . " - " . test)
| eval shortest=min(test2), longest=max(test2)
| eval shortest=replace(shortest, "^\d+ - ", "" ), longest=replace(longest, "^\d+ - ", "" ) Hope this helps.
... View more