Splunk Enterprise Security

Check if Field is a Multivalue Field

thomasvanhelden
Explorer

Is it possible to check if a certain field is a multi-value field?

I'm rewriting some old searches. They contain a few mvexpand commands, but I'm not sure whether this is necessary or not.
I don't know how to verify if the mvexpand is required and it seems risky to just leave it out and see if the search still works.

0 Karma
1 Solution

wmyersas
Builder

It would probably be better to figure-out what the search is trying to do in the first place

There may be better ways of finding what the searches are trying to do - given that these ones you're looking at are "old"

Or there might not 🙂

That said, mvexpand doesn't really hurt you if the field is not multivalue (there's a tiny performance hit, but it's pretty small)

In my experience, I "know" a field [may] be multivalue in one of two instances:

  1. it comes out of JSON
  2. there was a | stats list() or | stats values() that built the field in question

If neither of those is true, it's probably not multivalue

View solution in original post

woodcock
Esteemed Legend

You can use mvcount for this.

lkutch_splunk
Splunk Employee
Splunk Employee

Sounds like if your search has multivalue fields & you want them separated out, then you use it...
https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Mvexpand
"Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. For each result, the mvexpand command creates a new result for every multivalue field."
If you don't want them separated, then you don't.

0 Karma

wmyersas
Builder

OP's already using mvexpand - he's trying to figure out if he needs to or not 🙂

0 Karma

wmyersas
Builder

It would probably be better to figure-out what the search is trying to do in the first place

There may be better ways of finding what the searches are trying to do - given that these ones you're looking at are "old"

Or there might not 🙂

That said, mvexpand doesn't really hurt you if the field is not multivalue (there's a tiny performance hit, but it's pretty small)

In my experience, I "know" a field [may] be multivalue in one of two instances:

  1. it comes out of JSON
  2. there was a | stats list() or | stats values() that built the field in question

If neither of those is true, it's probably not multivalue

to4kawa
Ultra Champion
| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-1d@d"), relative_time(_time,"@d")) 
| makecontinuous span=15m 
| fillnull 
| where count!=1 
| eval count = random() % 50  
| eval count2 = count % 2 + 1
| eval count3 = count % 3 + 1
| bin span=1h aligntime=-1h@h _time 
| stats list(count) as count values(count2) as count2 values(count3) as count3 by _time 
`comment("this is sample data")`
| eval check="" 
| foreach "*" 
    [ eval check=if(mvcount(<<FIELD>>) > 1 ,mvappend(check,"<<FIELD>>") ,check) ]

Hi, @thomasvanhelden
How about it?

thomasvanhelden
Explorer

This is a solution to my problem! I built something similar myself. Thank you!

0 Karma

thomasvanhelden
Explorer

I just read about the mvcount function. I guess that can be used to count the number of values in the field and check if there are any counts higher than one.

0 Karma

techiesid
SplunkTrust
SplunkTrust

Hi @thomasvanhelden ,

Just a thought, why dont you keep the mvexpand command as is. If it is single value field mvexpand will do nothing. and if that field is a mv field then only mvexpand will work.

Sid

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...