Trying to find the index of a value within a multi...

t_tharr · ‎07-22-2015

Hi,

I am trying to find the index of a value within a multivalued field. I assume mvfind is the correct eval function for this purpose. However it does not match anything. I am trying to fetch the index of "Links and UI" in a multivalued field called "Sub Calls" like this -

mysearch | chart list(AA) as "Sub Calls", list(BB) as "Sub Calls Duration" by MO_id | eval LUI_index = mvfind("Sub Calls", "^Links and UI$") | table MO_id, "Sub Calls", "Sub Calls Duration", LUI_index

This always returns null. Can someone please tell me where I could be going wrong in the regex?

woodcock · ‎07-28-2015

The problem is here:

mvfind("Sub Calls", "^Links and UI$")

Splunk is using the first argument as a literal string, not as a field name. This is why I always try to avoid whitespace in field names and when I cannot, I never use double-quotes, but instead use dollar-signs, like this (which will work for you):

mvfind($Sub Calls$, "^Links and UI$")

Again, the best solution would be to convert the spaces to underscores like this:

mysearch | chart list(AA) as Sub_Calls list(BB) as Sub_Calls_Duration by MO_id | eval LUI_index = mvfind(Sub_Calls, "^Links and UI$") | table MO_id Sub_Calls Sub_Calls_Duration LUI_index

jacobwilkins · ‎07-22-2015

You really can't count on keeping parallel indexes on to separate multi-value fields.

Why not do:

mysearch | stats values(BB) by AA, MO_id

Trying to find the index of a value within a multivalued field, why is is mvfind on the multivalue field not working?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!