Multivalues Operations

mvappend

Description: Takes parameters separated by commas and returns a multivalue field.

Example:

... | eval res=mvappend(users, "hello", 12, pi())

mvcount

Description: Takes a parameter and returns the count of records in the multivalue field.

Example:

... | stats values(user) as users | eval x=mvcount(users)

mvdedup

Description: Takes a parameter and deduplicates the values in the multivalue field.

Example:

... | eval res=mvappend(users, "user1", "user2"), res=mvdedup(res)

mvfilter

Description: Takes a parameter and filters it based on a boolean condition.

Example #1
... | eval res=mvfilter(match(users, "user1"))

Example #2
... | eval res=mvfilter(in(users, "user1", "user2", "user2"))

Example #3
... | ipa={"10.22.3.2", "192.168.0.1"}, x=mvfilter(cidrmatch("10.0.0.0/8", ipa))

Example #4
... | eval myval={2, 6, 8, 10}, res=mvfilter(myval > 7)

mvfind

Description: Takes a parameter and returns the index of the first matching occurrence.

In this example, res will have the value 2.

Example #1
... | eval words={"hello", "my", "world"}, res=mvfind(words, "w(.*)")

In this example, res will have the value null.

Example #2
... | eval words={"hello", "my", "world"}, res=mvfind(ipa, "z(.*)")

mvindex

Description: Takes a parameter and the index number to find in a multivalue field. Returns the value or null if not found.

In this example, res will have the value my.

Example #1
... | eval worlds={"hello", "my", "world"}, res=mvindex(worlds, 1)

mvjoin

Description: Takes a multivalue parameter and a concatenator, returning a string with all values concatenated by the specified delimiter.

In this example, res will have the value "hello OR my OR world".

Example #1
... | eval words={"hello", "my", "world"}, x=mvjoin(words, " OR ")

mvrange

Description: Takes parameters for start, end, and increment interval (optional). Returns a multivalue field with a list of numbers according to the given parameters.

In this example, res will have the value {1, 2, 3, 4, 5}.

Example #1
... | eval res=mvrange(1, 5, 1)

mvsort

Description: Takes a multivalue parameter and sorts it internally.

In this example, res will have the value {"hello", "my", "world"}.

Example #1
... | eval words={"my", "world", "hello"}, res=mvsort(words)

mvzip

Description: Takes multivalue parameters and concatenates them (by index order in the multivalue field). If one parameter has more values than the others, concatenation for those values will not be completed.

In this example, res will have the value {"user1,1", "user2,2"}.

Example #1
... | eval myVal={1, 2, 3}, users={"user2", "user1"}, users=mvsort(users), res=mvzip(users, myVal)

split

Description: Takes a non-multivalue string parameter and a delimiter, returning a multivalue field composed according to the delimiter.

In this example, res will have the value {"hello", "my", "world"}.

Example #1
... | eval myVal="hello, my, world", res=split(myVal, ",")

mvappend​

mvcount​

mvdedup​

mvfilter​

mvfind​

mvindex​

mvjoin​

mvrange​

mvsort​

mvzip​

split​

mvappend

mvcount

mvdedup

mvfilter

mvfind

mvindex

mvjoin

mvrange

mvsort

mvzip

split