Hello Splunk Community,
I've tried to do my homework on the subject and I'm coming up short, so here I am. I'm a few months new to Splunk and I have a question regarding multivalue fields. The problem I'm working with is calculating the number of federal holidays between two dates by employee while accounting for hire-date. So for example, if I was looking at two employees, one starting in Jan, the other in Feb, if I look at holidays between Jan and Feb by employee, the individual hired in Feb shouldn't have New Years or MLK counted against them.
My current strategy is to reference a lookup table containing several years worth of federal holidays. It's a bit hack-y, as it adds two multivalue fields to each event - the holiday name and date. I've used the 'addinfo' command to get a min/max time from the time selector, and a striptime() command to evaluate the epoch time of each holiday's date, but when I use the mvfilter command to compare the epoch holiday time and the info_min_time/info_max_time I get an error saying the arguments to mvfilter are invalid. I did some digging and found out that mvfilter(X) only works when X is an expression referencing one field, not more than one.
So for instance, this line gives me an error:
| eval in_range=mvfilter(epoch_holiday>=info_min_time AND epoch_holiday <= info_max_time)
While this line does not:
| eval keep=mvfilter(epoch_holiday>=1483228800 AND epoch_holiday <= 1488326400)
*So my big question - is there a way to compare a multivalue field to one or more single value field(s)?* I've tried using mvexpand/mvcombine but it messes with the events in a weird way. I'm wondering if I'm asking Splunk to do something it's not quite designed to do, but any help would be greatly appreciated. Thanks!
-J
↧