![]() In the New_Field you can see all the values of status field separated by “/” sign. The allrequiredf flag also allows you to concatenate the fields that. At last by mvjoin function with eval function we have concatenates all the values within status field using “/” sign as a delimiter and store the values in a new field called New_Field. Usage of Splunk EVAL Function : MVJOIN This function takes two arguments ( X and. ![]() Values function takes all value from a field and create a multi-value field with unique values.Now status field becomes a multi-value field. We have used the values function to create a multi-value field. The following list contains the functions that you can use on multivalue fields or to return multivalue fields. In the above query method and status both are existing fields in _internal index and sourcetype name is splunkd_ui_access. just for curiosity why not concatenate the two fields before using for time format conversion eval. In a simpler way, we can say it will combine 2 search queries and produce a single result.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |