multivalue

Min

The mvmin subcommand returns the smallest value of a multivalued field. For a field foo with values [1, 2, 3] this example will set min to 1.

| eval min=mvmin(foo)

Max

The mvmax subcommand returns the largest value of a multivalued field. For a field foo with values [1, 2, 3] this example will set max to 3.

| eval max=mvmax(foo)

Dedup

The mvdedup subcommand returns the contents of a multivalued field with duplicates removed. For a field foo with values [1, 1, 3] this example will set unique to [1, 3].

| eval unique=mvdedup(foo)

Sort

The mvsort subcommand returns the contents of a multivalued field sorted in ascending order. For a field foo with values [3, 1, 2] this example will set sorted to [1, 2, 3].

| eval sorted=mvsort(foo)

Reverse

The mvrev subcommand returns the contents of a multivalued field in reverse order. For a field foo with values [1, 2, 3] this example will set reversed to [3, 2, 1].

| eval reversed=mvrev(foo)

Count

The mvcount subcommand returns the number of values in a multivalued field.

Join

The mvjoin subcommand returns a multivalue field with all the values of the second expresion appended to the first expression.

With field1 containing ["a","b"] and field2 containing ["c","d"], this example command with create a field merged that contains ["a","b","c","d"].

| eval merged = mvjoin(field1, field2)

Index

The mvindex subcommand returns the value at the specified index of a multivalued field.

With field1 containing ["a","b"], this example command with create a field first_value that contains "a".

| eval first_value = mvindex(field1, 0)

Range

The mvrange subcommand returns the values of a multivalued field within a start and end index range.

With field1 containing ["a","b","c"], this example command with create a field subset that contains ["b","c"].

| eval subset = mvrange(field1, 1, 2)