![]() NOTE:In the case of mvmap it only deals with numeric fields. If you don’t know about the usage of mvindex function then click here. As we explained at the top that in place of ( X) you can use any expression which can result in any multi-valued field as we did ing mvindex we pick 1st three values of each status field and then using mvmap multiplied by 10. In the above query status and method both are existing fields of _internal index and sourcetype name is splunkd_ui_access.Here we have created a multivalued field called status using values function with stats command and method is a single valued field. You can also know about : Usage of Splunk Commands : MVEXPANDĮxample 4: index=_internal sourcetype="splunkd_ui_access" | stats values(status) as status by method | eval new=mvmap(mvindex(status,0,2),status*10) At last we have used mvmap to multiply all the values of status with bytes value. In the above query status and bytes both are existing fields of _internal index and sourcetype name is splunkd_ui_access.Here we have created a multi-value field called status using values function with stats command and bytes is a single valued field. Where both are the single value fields.Įxample 3: index=_internal sourcetype="splunkd_ui_access" | stats values(status) as status by bytes |eval new=mvmap(status,status*bytes) Then we added each status value with bytes. In the above query status and bytes both are existing fields of _internal index and sourcetype name is splunkd_ui_access. NOTE: In stead of multiplication you can do any kind of mathematical calculation using mvmap.Įxample 2: index=_internal sourcetype="splunkd_ui_access" | table status bytes | eval new=mvmap(status,status+bytes) At last we have used mvmap function to multiply each value of status field by 10 in the new field. Using values function with stats command we have created one multi-value field. In the above query status and method both are existing fields of _internal index and sourcetype name is splunkd_ui_access. | eval NEW_FIELD=mvmap(X,Y)Įxample 1: index=_internal sourcetype="splunkd_ui_access" | stats values(status) as status by method | eval new=mvmap(status,status*10) X can be a multi-value expression or any multi value field or it can be any single value field.įind below the skeleton of the usage of the function “mvmap” with EVAL : …. ![]() This function takes maximum two ( X,Y) arguments.And of course, the community forum is full of information around this topic as well. UPDATE: In case you are looking for Splunk transaction examples, I also wrote a post about that here. Security Analytics: having fun with Splunk and a packet capture file As expected, there should be many other ways to accomplish the same results while processing IP packet headers, whether it’s using Splunk or not, so I would really appreciate receiving feedback about other approaches used out there. It was also a fun way to introduce Splunk’s data mining features, which might hopefully enable users to develop new ideas based on the approach presented in there. Basically, the paper’s content is about installing Splunk Enterprise (freely available version) on a Linux machine, getting network data processed based on tshark’s output, and finally extracting some interesting stats and charts out of it. ![]() Since I’ve been using that technology for a while, I’ve decided to leverage such knowledge in order to renew one GIAC certification I got in the past ( GCIA). I’m now taking the opportunity to share one article I wrote about Splunk, which might be of some help to the community. ![]() It’s been quite a long time since my last post here. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |