multivalue
Subcommands
| Subcommand | Description | Syntax |
|---|---|---|
mvmin | Returns the smallest value of a multivalued field | mvmin(<expr>) |
mvmax | Returns the largest value of a multivalued field | mvmax(<expr>) |
mvdedup | Returns the contents of a multivalued field with duplicates removed | mvdedup(<expr>) |
mvsort | Returns the contents of a multivalued field sorted in ascending order | mvsort(<expr>) |
mvrev | Returns the contents of a multivalued field in reverse order | mvrev(<expr>) |
mvcount | Returns the number of values in a multivalued field | mvcount(<expr>) |
mvjoin | Returns a multivalue field with all the values of the second expression appended to the first expression | mvjoin(<expr>, ...) |
mvindex | Returns the value at the specified index of a multivalued field | mvindex(<expr>, <expr>) |
mvrange | Returns the values of a multivalued field within a start and end index range | mvrange(<expr>, <expr>, <expr>) |
coalesce | Evaluates multiple expressions in order and returns the first non-empty result. If all expressions return empty, it returns an empty result | coalesce(<expr>, ...) |
Examples
mvmin
For a field foo with values [1, 2, 3], this example will set min to 1:
| eval min=mvmin(foo)
mvmax
For a field foo with values [1, 2, 3], this example will set max to 3:
| eval max=mvmax(foo)
mvdedup
For a field foo with values [1, 1, 3], this example will set unique to [1, 3]:
| eval unique=mvdedup(foo)
mvsort
For a field foo with values [3, 1, 2], this example will set sorted to [1, 2, 3]:
| eval sorted=mvsort(foo)
mvrev
For a field foo with values [1, 2, 3], this example will set reversed to [3, 2, 1]:
| eval reversed=mvrev(foo)
mvjoin
With field1 containing ["a","b"] and field2 containing ["c","d"], this example command will create a field merged that contains ["a","b","c","d"]:
| eval merged = mvjoin(field1, field2)
mvindex
With field1 containing ["a","b"], this example command will create a field first_value that contains "a":
| eval first_value = mvindex(field1, 0)
mvrange
With field1 containing ["a","b","c"], this example command will create a field subset that contains ["b","c"]:
| eval subset = mvrange(field1, 1, 2)
coalesce
With field1 being empty, field2 containing ["a"], and field3 containing ["b"], this example command will create a field result that contains ["a"]:
| eval result = coalesce(field1, field2, field3)