![]() Usage The values can be strings, multivalue fields, or single value fields. So far, I like Splunk - figuring out how to make use of its power has been the challenging part. This function returns a single multivalue result from a list of values. This command takes the results of a subsearch, formats the results into a single result and places that result into a new field called search. ![]() Sorry - I've only been using Splunk for about a week, so I'm just in the learning phase at the moment. This command is used implicitly by subsearches. (Heck, the documentation for "format" doesn't even mention that it does anything special with fields named search or query - isn't that where it should be mentioned? There is that partial sentence (in the above answer and in the How Subsearches Work section) that says "Multiple results will return" - maybe that sentence was also supposed to mention the use of the fieldname query?) I've tried and tried to find the difference between search and query mentioned in the documentation somewhere, but (so far) I've not had any luck. On a lark, I happened to try using the fieldname query (instead of search), and then my subsearch returned more than one value. When working with data in the Splunk platform, each event field typically has a single value. This function takes a multivalue field and returns a count of the values in. I was having a problem with my multi-result subsearch only returning one value (to the main search) when I used the fieldname search. Splunk Sort By Multiple FieldsSorted by: 1 The appendcols command is a bit. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |