![]() ![]() | eval n=mvfilter(match(email, "\.net$") OR match(email, "\.org$")) mvfind(,) Description The following example returns all of the values in field email that end in. If you do not want the NULL values, use one of the following expressions: This function will return NULL values of the field as well. The Boolean expression can reference ONLY ONE field at a time. This function filters a multivalue field based on an arbitrary Boolean expression. | eval s=mvdedup(mvfield) mvfilter() Description This function takes a multivalue field and returns a multivalue field with its duplicate values removed. In that situation mvcount(cc) returns NULL. If there is no Cc address, the Cc field might not exist for the event. If only a single email address exists in the From field, as you would expect, mvcount(From) returns 1. The split function is also used on the Cc field for the same purpose. ![]() ![]() | eval Cc_count= search takes the values in the To field and uses the split function to separate the email address on the symbol. In the following example, the mvcount() function returns the number of email addresses in the To, From, and Cc fields and saves the addresses in the specified "_count" fields. | eval n=mvcount(multifield) Extended example If the field has no values, this function returns NULL. If the field contains a single value, this function returns 1. If the field is a multivalue field, returns the number of values in that field. This function takes a field and returns a count of the values in that field for each result. | makeresults | eval ipaddresses=mvappend("localhost", srcip, destip, "192.168.1.1") Note that the previous example generates the same results as the following example, which does not use a nested mvappend function: | eval ipaddresses=mvappend(mvappend("localhost", srcip), destip, "192.168.1.1") The results are placed in a new field called ipaddresses, which contains the array. The outer mvappend function contains three values: the inner mvappend function, destip is a field name, and 192.168.1.1 which is a literal IP address.The inner mvappend function contains two values: localhost is a literal string value and srcip is a field name.The following example shows how to use nested mvappend functions. | eval fullName=mvappend("localhost", srcip) This example shows how to append two values, localhost is a literal string value and srcip is a field name. The arguments can be strings, multivalue fields or single value fields. This function takes one or more arguments and returns a single multivalue result that contains all of the values. | eval x=commands("search foo | stats count | sort count") mvappend() Description The following example returns a multivalued field called x, that contains the commands search, stats, and sort which are the commands used in the search string specified. You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions. This function is generally not recommended for use except for analysis of audit.log events. This function takes a search string, or field that contains a search string, and returns a multivalued field containing a list of the commands used in. See Statistical eval functions.įor information about using string and numeric fields in functions, and nesting functions, see Evaluation functions. You can also use the statistical eval functions, max and min, on multivalue fields. I know that can't use - but I must do it and when I remove it, the results keeping null (0 results).The following list contains the functions that you can use on multivalue fields or to return multivalue fields. Source="/logfiles.log" | rex "UA=(?\w+)" | stats count(eval(user-agent="")) as TOKYOīut returns the error: Error in 'rex' command: Encountered the following error while compiling the regex 'UA=(?\w+)': Regex: syntax error in subpattern name (missing terminator). The results should be something like: tokyo | new-york | helsing 13:51:57,533 INFO class:ControllerV1, UA=, GW=įor the example above, I must increment the counter if GW != null, so I've three counters, for tokyo, new-york and helsing. I'm newbie with Splunk and I'm trying make a query to count how many requests have a determinate value, but this counter must be incremented if a specific attribute is on the request.Įxample: 13:51:28,802 INFO class:ControllerV1, UA=, GW= ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |