![]() This function takes two arguments, a multivalue field and a string delimiter. The start value is -3 and the end value is -1. For example, the following search returns the last 3 values in the field. To return a range of values, specify both a start and end value. To return the 3rd value from the end, you would specify the index number -3. To return the last value in the list, you specify -1, which indicates to start at the end of the list and return only one value. The negative symbol indicates that the indexing starts from the last value. To return a value from the end of the list of values, the index numbers start with -1. The start value is 0 and the end value is 3.Ĭonsider the following values in a multivalue field:īuttercup, dash, flutter, honey, ivory, minty, pinky, rarity For example, the following search returns the first 4 values in the field. If the indexes are out of range or invalid, the result is NULL.Ĭonsider the following values in a multivalue field called names:īecause indexes start at zero, the following example returns the value claudia:.An index of -1 is used to specify the last value in the list. Both the and arguments can be negative.When the argument is specified, the range of values from to are included in the results.If only the argument is specified, only that value is included in the results.The second value has an index of 1, and so on. If you have 5 values in the multivalue field, the first value has an index of 0. This function returns a subset of the multivalue field using the start and end index values. | eval n=mvfind(myfield, "err\d+") mvindex(,, ) This function returns the index for the first value in a multivalue field that matches a regular expression. | eval n=mvfilter(match(email, "\.net$") OR match(email, "\.org$")) mvfind(, ) The following example returns all of the values in the email field that end in. ![]() If you do not want the NULL values, use one of the following expressions: This function will return NULL values of the field x as well. See Predicate expressions in the SPL2 Search Manual. The expression can reference only one field. This function filters a multivalue field based on a predicate expression. This function takes a multivalue field and returns a multivalue field with the duplicate values removed. In that situation mvcount(cc) returns NULL. If there is no Cc address, the Cc field might not exist for the event. If only a single email address exists in the From field, as you would expect, mvcount(From) returns 1. The split function is also used on the Cc field for the same purpose. | eval Cc_count= search takes the values in the To field and uses the split function to separate the email address on the symbol. In the following example, the mvcount() function returns the number of email addresses in the To, From, and Cc fields and saves the addresses in the specified "_count" fields. | eval n=mvcount(myfield) Extended example If the field has no values, this function returns NULL. If the field contains a single value, this function returns 1. This function takes a multivalue field and returns a count of the values in that field. ![]() The results are placed in a new field called ipaddresses which contains the array. | eval ipaddresses=mvappend(mvappend("localhost", srcip), destip, "192.168.1.1")
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |