The Multivalue functions evaluate multivalue arguments and return multivalue fields.
This function accepts two arguments, X and Y as inputs. It splits the values of the field X by the delimiter (such as comma, semicolon, blank space) specified in the field Y and returns a multivalue field containing a list of split values.
Syntax:
| process eval("identifier=split(X,Y)")
Example:
| process eval("split_message=split(message, ' ')")
| fields message, split_message
The above example splits the value of the message field when the split function encounters a space in the value and returns split values in the split_message identifier.
The fields command displays the value of fields and split_message in a tabular form.
Split function¶
This function accepts a search string X as input, or a field that contains a search string, and returns a multivalue field containing a list of the commands used in X.
Syntax:
| process eval("identifier=commands(X)")
Example:
| process eval("commands_list=commands('chart count() | fields name | rename message as alert')")
| fields commands_list
The above example returns the list of the commands present in the provided search string, i.e., chart count() | fields name | rename message as alert, and returns them in the identifier commands_list.
The fields command displays the value of commans_list in a tabular form.
Commands function¶
This function accepts two or more arguments as inputs and appends the values of the arguments. It returns a multivalue result containing a list of all the appended values. The arguments can be strings, multivalue fields or single value fields.
Syntax:
| process eval("identifier=mvappend(X, ...)")
Example:
| process eval("ip_address=mvappend(source_address, destination_address)")
| fields source_address, destination_address, ip_address
The above example returns the appended value of the source_addess and destination_address fields in the ip_address identifier.
The fields command displays the value of source_address, destination_address, and ip_address in a tabular form.
Mvappend function¶
This function accepts either a multivalue field or a single value field X as input and returns the count of the values of that field.
Syntax:
| process eval("identifier=mvcount(X)")
Example:
| process eval("message_character_count=mvcount(split(message, ' '))")
| fields message, message_character_count
The above example compares the values obtained from split(message, ‘ ‘) to the pattern acco.. acco. means any sequence of letters that can follow the string acco. If the values obtained from split(message, ‘ ‘) and pattern match, it returns the matched value in the filter_account_message identifier. If they don’t match it returns 0.
The fields command displays the value of message and message_character_count in a tabular form.
Mvcount function¶
This function removes duplicate values of a multivalue field X and returns a multivalue output in a list.
Syntax:
| process eval("identifier=mvdedup(X)")
Example:
| process eval("discount_ml=if(discount < 50) {return 'less discount less'}
else {return 'more discount more'}")
| process eval("result=mvdedup(split(discount_ml, ' '))")
| fields discount, discount_ml, result
The above example first returns less discount less in the discount_ml identifier if discount is less than 50, else returns more discount more. The split function splits the value of discount_ml when it encounters a space. Then, the mvdeup function removes the duplicate values in the value obtained from the split(discount_ml, ‘ ‘) and returns it in the result identifier.
The fields command displays the value of discount, discount_ml, and result in a tabular form.
Mvdedup function¶
This function accepts a multivalue field X and a pattern as inputs. It filters the values of the field using the pattern, and returns a multivalue or a single value field containing the list of values that match the given pattern.
Syntax:
| process eval("identifier=mvfilter(X, pattern)")
Example:
| process eval("filter_account_message=mvfilter(split(message, ' '), 'acco.*')")
| fields message, filter_account_message
The above example compares the values obtained from split(message, ‘ ‘) to the pattern acco.*. acco.* mean any sequence of letters can follow the string acco. If the values obtained from split(message, ‘ ‘) and pattern matches, it returns the matched value in the filter_account_message identifier, else returns 0. Refer to the split section to know on the value from split(message, ‘ ‘).
The fields command displays the value of fields message and filter_account_message in a tabular form.
Mvfilter function¶
This function accepts two arguments, a multivalue field X, and a regex (regular expression) pattern Y. It tries to match the regular expression against any substring of the value in X. If there is a match, the function returns the index (beginning from zero) of the first value that matches the regex pattern. If there isn’t a match, it returns null.
Syntax:
| process eval("identifier=mvfind(X, Y)")
Example:
| process eval("indexof_account=mvfind(split(message, ' '), 'acco.*')")
| fields message, indexof_account
The above example search for the first match in the values obtained from split(message, ‘ ‘) to the pattern acco.*. acco.* mean any sequence of letters can follow the string acco. If the function finds a match in the values obtained from split(message, ‘ ‘) to the pattern acco.*, it returns the index (position) of the first match (index starts from zero) in the indexof_account identifier.
The fields command displays the value of fields message and indexof_account in a tabular form.
Mvfind function¶
This function accepts up to three arguments, a multivalue field X, a number start_index and a number end_index. It evaluates the values of the string X and returns the value that starts at the index specified by start_index and ends at the index specified by end_index.
The field X and the start_index are required. The end_index is inclusive and optional while providing positive values for both the start and end index.
If the end_index is not specified, the function returns only the value at start_index.
The start_index and end_index can be negative. Both the start_index and end_index is required while providing negative values for either the start_index or end_index.
If the indices are out of range or invalid, the result is null.
Syntax:
| process eval("identifier=mvindex(X, start_index, end_index)")
Example:
| process eval("index_message=mvindex(split(message, ' '), 2)")
| fields message, index_message
The above example returns the third value (index starts from 0) in the values obtained from split(message, ‘ ‘) in the index_message identifier.
The fields command displays the value of fields message and index_message in a tabular form.
Mvindex function¶
This function accepts two arguments, a multivalue field X, and a string delimiter (such as comma, semicolon, blank space) Y. The function concatenates the individual values within X using the value of Y as a separator.
Syntax:
| process eval("identifier=mvjoin(X, Y)")
Example:
| process eval("result=mvjoin(split(message, ' '), ',')")
| fields message, result
The above example accepts the values from split(message, ‘ ‘) and joins the received values with a comma. It returns the joined values in the result identifier. Refer to the split section to know on the value from split(message, ‘ ‘).
The fields command displays the value of the message, and result in a tabular form.
Mvjoin function¶
It takes up to three arguments: a starting number X, an ending number Y, and an optional step increment Z. It returns the range of X and Y, where Y is excluded from the result.
If Z is not provided, the default increment step is +1.
If Z is a timespan like 1d (1 day), then X and Y are treated as UNIX time.
Syntax:
| process eval("identifier=mvrange(X, Y, Z)")
Example 1:
| process eval("range=mvrange(1,5)")
The above example returns the value from 1 to 5 (excluding 5) with +1 increment in the range identifier. The result is 1, 2, 3, 4.
Mvrange function¶
Example 2:
| process eval("range=mvrange(1.1,5)")
The above example returns the value from 1.1 to 5 with +1 increment in the mvrange identifier. The result is 1.1, 2.1, 3.1, 4.1.
Example 3:
| process eval("range=mvrange(1.5,6,1.5)")
The above example returns the value from 1.5 to 6 (excluding 6) with +1.5 increment in the mvrange identifier. The result is 1.5, 3, 4.5.
Example 4:
| process eval("range=mvrange(1134,343434,'1d')")
The above example returns the value from 1134 to 343434 with +86400 increment in the mvrange identifier. The result is 1134, 87534, 173934, 260334.
Here, 1d = 86400 seconds
Example 5:
| process eval("range=mvrange(1233.124224,2434455.1232323,'1w')")
The above example returns the value from 1233.124224 to 2434455.1232323 with +604800 increment in the mvrange identifier. The result is 1233.124224, 606033.124224, 1210833.1242240001, 1815633.1242240001, 2420433.124224.
Here, 1w = 604800 seconds
This function accepts a multivalue field X and returns a multivalue field containing the list of values of the field X sorted in lexicographical order (alphabetically).
In lexicographical order, numbers are sorted by digits. So numbers are sorted before letters. If the first digits match, the second digits get compared. The comparison is like a string. For example, 10 comes before 2, but 111 comes after 10 (and also after 1000) because 0 is less than 1. A lexical sort compares the characters in each string as characters, not integral values.
All the uppercase letters are sorted before the lowercase letters.
Syntax:
| process eval("identifier=mvsort(X)")
Example 1:
| process eval("sort=mvsort(split(message, ' '))") | fields message, sort
The above example accepts the values from split(message, ‘ ‘) and sorts them according to the rule described above. It returns the sorted value in the sort=mvsort identifier.
The fields command displays the value of the message and sort in a tabular form.
Mvsort function¶
Example 2:
If testData = {“test1”, 1, 1.2}
| process eval("sort=mvsort(testData)")
The above example sorts the data in the testData field according to the rule described above and returns the sorted value in the identifier sort. The result is [1, 1.2, “test1”]
This function accepts up to three arguments. It takes two multivalue fields, X and Y and combines the values of these fields. It joins the first value of the X field with the first value of the Y field and the second value of X with the second value of Y. The third field Z specifies a delimiting character that joins the two values of the fields X and Y. The Z field is optional, and the default delimiter is a comma.
Syntax:
| process eval("identifier=mvzip(X,Y,Z)")
Example 1:
If users = [“john”, “jack”, “kim”], machines = [“lp1”, “lp2”, “lp3”]
| process eval("x=mvzip(users,machines)")
The above example accepts the values from users and machines fields. It joins the first value of the user field with the first value of the machines field and and the second value of the users field with the second value of the machines field and continues in the same way. A comma separates the values in the joined fields. It returns the joined value in the x identifier. Result: [“john,lp1”, “jack,lp2”, “kim,lp3”]
Example 2:
| process eval ("category_split= split(event_category, ' ' )")
| process eval ("event_split= split(event_type, ' ' )")
| process eval ("zip= mvzip(category_split,event_split, ' ')")
| fields event_category, event_type ,category_split, event_split, zip
The above example accepts the values of category_split and event_split fields. It joins the first value of the category_split field with the first value of the event_split field and the second value of the category_split field with the second value of the event_split field and continues in the same way. Space separates the values in the joined fields. It returns the joined value in the zip identifier. Refer to the split section to know on the value from split(event_category, ‘ ‘ ) and split(event_type, ‘ ‘ ).
The fields command displays the value of event_category, event_type, category_split, and zip in a tabular form.
Mvzip function¶