Is there any sort of syntax for me to be able to manipulate or get data on data that exists in the Values() field.
So lets say that I do a
| stats values(dest_port) by src_ip
I then want to order the values in the values(dest_port), or I only want the top 10 of the list in values(), or I want to only get the top and bottom. Is there any sort of notation or syntax that I can use to do this?
Once you use values()
, your fields become multi-value. There are numerous functions that can be applied to these sorts of fields, check out https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/MultivalueEvalFunctions
If you want to sort the data, use eval sorted=mvsort(data)
. If you want the first 10 events, you can use eval first10 = mvindex(data,0,9)