![]() ![]() If only a single email address exists in the From field, as you would expect, mvcount(From) returns 1. The split function is also used on the Cc field for the same purpose. ![]() | eval Cc_count= search takes the values in the To field and uses the split function to separate the email address on the symbol. In the following example, the mvcount() function returns the number of email addresses in the To, From, and Cc fields and saves the addresses in the specified "_count" fields. | eval n=mvcount(multifield) Extended example If the field has no values, this function returns NULL. If the field contains a single value, this function returns 1. If the field is a multivalue field, returns the number of values in that field. This function takes a field and returns a count of the values in that field for each result. | makeresults | eval ipaddresses=mvappend("localhost", srcip, destip, "192.168.1.1") Note that the previous example generates the same results as the following example, which does not use a nested mvappend function: | eval ipaddresses=mvappend(mvappend("localhost", srcip), destip, "192.168.1.1") The results are placed in a new field called ipaddresses, which contains the array.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |