Hi - Couldn't locate any video discussing multisearch..hence posting my query here. I am working on multisearch query which would search for a particular string (let's say for a period of 7 days) during a particular time window (let's between 1 PM to 2 PM). I need the count of all the matched string individually for each day for the given duration....I am using the multisearch along with earliest and latest..but can't get the required result. Your help is much appreciated.
This helped me a lot. Thank you fo this tutorial. 👍 I have one issue with my query- how can we sort multiple field values in different output. I have field values like A,B,C,D and I want output as AA for A and for B in table ? Please help.
Hi Sid, thanks for the video . One question. Is there any difference between mvzip and mvappend? I understand that both commands can be used to concatenate multivalue columns together.
In fact they are totally different functions, mvappend : This function is generally used to create a mv field from two or more strings or mv field. For example, mvfield1 = val1 val2 val3 mvappend(str1,str2,mvfield1) = str1 str2 val1 val2 val3 mvzip : This function takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, and so on. The third argument, Z, is optional and is used to specify a delimiting character to join the two values. The default delimiter is a comma. For example, mvfield1 = val1 val2 val3 mvfield2 = val4 val5 val6 mvzip(mvfield1, mvfield2) = val1,val4 val2,val5 val3,val6
Hi Kushagra, I used "streamstats count as counter" to generate row numbers 1,2,3,4...so that I can apply some logic rowwise while creating the test data. Regarding your second question, mvcombine you can think of as row wise operator where it's grouping (creating mv field) rows where every field value is same except one. mvappend you can think of as column wise operator where it can concatenate multiple fileds as well as strings.
Hi sidd, I have two question. 1how to know that we have to use makeresults command or not. 2. what is deference between mvcombine and mvzip. thanks in advance?
That depends on scenario... Here I needed some test data that's why I used that command. Makeresults is a event generating command. Regarding your second question...mvcombine creates a multivalue filed from set of events where all the field values are same except the field you mentioned in mvcombine command...mvzip command just creats mv field by stitching several mv fields together, it’s basically column wise operations where mvcombine we can think of row wise operation.
Hi sid, I have two different sourcetypes I am extracting the results to a table i wanted to do union and combine the results. Can you please tell how to do that?
Splunk & Machine Learning hi sid, I have a query which returns 4 events, and each event has a time stamp, out of those I want to return time stamps of 2 events, and I my main query I want to find an event between those 2 time stamps...how can I do that? Are u able to get this ?
I think using subsearch its possible, it will be something like below, index= earliest=[your second search returning earliest timestamp] latest=[your second search returning latest timestamp] you can refer the subsearch video I created before, th-cam.com/video/TiwKp-T56xQ/w-d-xo.html
can you please provide example where multiple multivalue columns are present , becuase the syntac shared in thsi video will work only when 1 multivalue column is present
Hi Bro I have a doubt suppose i have a field with field values like below field="xyz@gmail.com,abc@yahoo.com,abd@outlook.com" How to seprate them based on the mail id they use like gmail,yahoo,outlook without using Regex
Your splunk videos helping me a lot. Thankyou so much!
This video needs MOAR UPVOTES!
Thankyou so much for the efforts that you make to provide such information..keep going😇
Thank you 🙏
Hi - Couldn't locate any video discussing multisearch..hence posting my query here. I am working on multisearch query which would search for a particular string (let's say for a period of 7 days) during a particular time window (let's between 1 PM to 2 PM). I need the count of all the matched string individually for each day for the given duration....I am using the multisearch along with earliest and latest..but can't get the required result. Your help is much appreciated.
Hi Amritesh,
Can you send me the search query and some example data through email. It will be easier for me to assist. My id techiesid1985@gmail.com
This helped me a lot. Thank you fo this tutorial. 👍
I have one issue with my query- how can we sort multiple field values in different output. I have field values like A,B,C,D and I want output as AA for A and for B in table ? Please help.
let me understand your question. So you have a mv filed with values A,B,C,D and you want to produce another mv field with values AA,BB,CC,DD?
Hi Sid, thanks for the video . One question. Is there any difference between mvzip and mvappend? I understand that both commands can be used to concatenate multivalue columns together.
In fact they are totally different functions,
mvappend : This function is generally used to create a mv field from two or more strings or mv field.
For example,
mvfield1 = val1
val2
val3
mvappend(str1,str2,mvfield1) = str1
str2
val1
val2
val3
mvzip : This function takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, and so on. The third argument, Z, is optional and is used to specify a delimiting character to join the two values. The default delimiter is a comma.
For example,
mvfield1 = val1
val2
val3
mvfield2 = val4
val5
val6
mvzip(mvfield1, mvfield2) = val1,val4
val2,val5
val3,val6
@@splunk_ml Thanks so much for the detailed explanation Sid. I tried with example and clear now. Thanks again!
what does "streamstats count as counter" does?? Also is there any difference in mvcombine and mvappend as both are making multivalue field ?
Hi Kushagra,
I used "streamstats count as counter" to generate row numbers 1,2,3,4...so that I can apply some logic rowwise while creating the test data.
Regarding your second question, mvcombine you can think of as row wise operator where it's grouping (creating mv field) rows where every field value is same except one. mvappend you can think of as column wise operator where it can concatenate multiple fileds as well as strings.
Hi sidd, I have two question. 1how to know that we have to use makeresults command or not. 2. what is deference between mvcombine and mvzip. thanks in advance?
That depends on scenario... Here I needed some test data that's why I used that command. Makeresults is a event generating command.
Regarding your second question...mvcombine creates a multivalue filed from set of events where all the field values are same except the field you mentioned in mvcombine command...mvzip command just creats mv field by stitching several mv fields together, it’s basically column wise operations where mvcombine we can think of row wise operation.
Hi sid, I have two different sourcetypes I am extracting the results to a table i wanted to do union and combine the results. Can you please tell how to do that?
index= sourcetype= OR sourcetype= | table
@@splunk_ml I have one more question in the splunk alerts can we convert the gmt timestamp to cst timestamp?
Hi team, if a sub query returns 2 time fields... how can we check min and max from those fields ?
Hi Rahul,
Can you provide the sample query you are using. An example will be helpful for me.
Sid
Splunk & Machine Learning hi sid, I have a query which returns 4 events, and each event has a time stamp, out of those I want to return time stamps of 2 events, and I my main query I want to find an event between those 2 time stamps...how can I do that? Are u able to get this ?
I think using subsearch its possible, it will be something like below,
index= earliest=[your second search returning earliest timestamp] latest=[your second search returning latest timestamp]
you can refer the subsearch video I created before,
th-cam.com/video/TiwKp-T56xQ/w-d-xo.html
Hi Siddharth, thanks for the video on multivalue fields, got a doubt what is the difference between dedup and mvdedup ?
In simple term dedup work at event level to remove duplicate events...where mvdedup only work on miltivalue field to remove duplicates.
@@splunk_ml thanks for clarifying the doubt.
can you please provide example where multiple multivalue columns are present , becuase the syntac shared in thsi video will work only when 1 multivalue column is present
It will be same, you just need to apply those commands on the other set of fields.
Hi Bro
I have a doubt suppose i have a field with field values like below
field="xyz@gmail.com,abc@yahoo.com,abd@outlook.com"
How to seprate them based on the mail id they use like gmail,yahoo,outlook without using Regex
Can you tell me the desired output? I didn't understood how you want to separate
@@splunk_ml Hi Bro my desire is to get the xyz@gmail.com,abc@yahoo.com seprated based on the domain
Do you provide training??
I would like to add the screen shot from the splunk portal, so could let me know how to add that here?
I dont think we can add screenshot directly in youtube comment. you can email me at techiesid1985@gmail.com.
thanks for sharing the email id. Let me share the screen short directly to this mail id.