Each field in an event typically has a single value, but for events such as email logs you can often find multiple values in the “To” and “Cc” fields. Multivalue fields can also result from data augmentation using lookups. To properly evaluate and modify multivalue fields, Splunk has some multivalue search commands and functions.
The order of the values is lexicographical. Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII. Numbers are sorted before letters. Numbers are sorted based on the first digit.
What are multivalue fields in Splunk?
Multivalue fields can also result from data augmentation using lookups. To properly evaluate and modify multivalue fields, Splunk has some multivalue search commands and functions.
The Splunk documentation calls it the “in function”. And the syntax and usage are slightly different than with the search command. The IN function returns TRUE if one of the values in the list matches a value in the field you specify. String values must be enclosed in quotation marks.
The first thing is that splunk’s query language is not SQL so looking for similar commands will not always be possible. But there is nearly always a way of doing things. Looking at your data, I would restructure the query as follows.
Where clause in splunk query?
The where command is identical to the WHERE clause in the from command. Typically you use the where command when you want to filter the result of an aggregation or a lookup . One advantage of the where command is that you can use it to compare two different fields.
How do I use the where clause in Spl2?
The wherecommand expects a predicate expression. In most cases you can use the WHERE clause in the fromcommand instead of using the wherecommand separately. Specify wildcards You can only specify a wildcard with the wherecommand by using the likefunction.
Why join the Splunk community?
Meet Splunk enthusiasts in your area Community Get inspired and share knowledge Expand & optimize Customer Success Get specialized service and support Splunkbase See Splunk’s 1000+ apps and add-ons Splunk Dev Create your own Splunk apps.