How do I access an array value inside a case in Splunk?

Question

I'm new to Splunk and need some help with the following:

• authIndexValue[] is an array that will hold at least one value
• I want to access its value from inside a case in an eval statement but I get this error: Unknown search command '0'.
• I also tried http.request.queryParameters.authIndexValue{} with no luck

Below the eval line:

..search
| eval EventType=case(http.request.queryParameters.authIndexValue[0]==Login_FooBar, "LOGIN") 

How can I achieve this?

Thanks.

Answer 1

Splunk doesn't have "arrays"

It has multivalue fields

To access/do anything with them, you need to use multivalue commands/functions

• multivalue eval functions - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions
• multivalue stats functions - https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multivaluefunctions

In your example, you'd want to do something like the following:

<search>
| eval EventType=case(mvindex(http.request.queryParameters.authIndexValue,0)==Login_FooBar,"LOGIN", mvindex(http.request.queryParameters.authIndexValue,0)==Login_BarFoo,"not a good login",1=1,"error state")