weirdness using max() and min() in eval, operating on numeric multivalue fields

Question

It seems like if you I have a numeric multivalued field, I should be able to use eval to take the max and min of the values per row.

For example, I have a 'bytes' field on my events. i form those events into transactions and now i have a nice multivalued 'bytes' field on my transaction rows.
From here I'd like to get the max and min values of bytes per row, ie so I end up with a single 'maxBytes' number per transaction row.

<my search> | transaction user | eval maxBytes=max(bytes)

However when I do this I end up with a multiValued maxBytes, and its exactly as though I had just done:

<my search> | transaction user | eval maxBytes=bytes

Is there a reason for why it works this way or is there a workaround for it?

Accepted Answer

After re-reading the docs, it does seem like this would be a nice feature request. I think you have to use stats and not eval when you are using the max() function this way. It seems like you have to have a list of values for max in eval where as stats max() works fine with multi-valued fields. (There does seem to be some lacking features for multi-value fields like this. Another one would be that you can't simply add a value to a multi-value field without some ugly delimiter-based hacks.)

Perhaps this would be the best fit for your situation:

 ... | streamstats max(bytes) as maxBytes window=1

BTW. Make sure that use include mvlist="bytes" on your transaction command, or you will get a unique list of values for bytes instead of a one-for-one listing of your bytes values. (I guess this really only matters if your doing sum(bytes) or something like that, but this seems easy to overlook so I figured I point it out.)

weirdness using max() and min() in eval, operating on numeric multivalue fields

Follow this question

Splunk Resources

Related questions