In that situation mvcount(cc) returns NULL. If there is no Cc address, the Cc field might not exist for the event. If only a single email address exists in the From field, as you would expect, mvcount(From) returns 1. The split function is also used on the Cc field for the same purpose. | eval Cc_count= search takes the values in the To field and uses the split function to separate the email address on the symbol. In the following example, the mvcount() function returns the number of email addresses in the To, From, and Cc fields and saves the addresses in the specified "_count" fields. | eval n=mvcount(myfield) Extended example If the field has no values, this function returns NULL. If the field contains a single value, this function returns 1. This function takes a multivalue field and returns a count of the values in that field. The results are placed in a new field called ipaddresses which contains the array. | eval ipaddresses=mvappend(mvappend("localhost", srcip), destip, "192.168.1.1")
#SPLUNK STATS COUNT SORT HOW TO#
This example shows how to use nested mvappend functions. | eval ipaddresses=mvappend("localhost", srcip) Nested mvappend functions The results are placed in a new multivalue field called ipaddresses:
This example shows how to append the literal value localhost to the values in the srcip field. You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.Įxamples Specifying literals and field names The values can be strings, multivalue fields, or single value fields. This function returns a single multivalue result from a list of values. See Statistical eval functions.įor information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 eval functions. You can also use the statistical eval functions, such as max, on multivalue fields. The following list contains the functions that you can use on multivalue fields or to return multivalue fields.
0 kommentar(er)
