Detailed Course Outline
Topic 1 – What are Multivalue Fields?
- Understand multivalue fields
- Define self-describing data
- Understand how JSON data is handled in Splunk
- Use the spath command to interpret self-describing data
- Use the mvzip and mvexpand commands to manipulate multivalue fields
- Convert single-value fields to multivalue fields with specific commands and functions
Topic 2 – Creating Multivalue Fields
- Creating multivalue fields with the makemv command and the split function of the eval command
Topic 3 – Evaluating Multivalue Fields
- Use the mvcount, mvindex, and mvfilter eval functions to evaluate multivalue fields
Topic 4 – Manipulating Multivalue Data
- Use the mvsort, mvzip, mvjoin, mvmap, and mvappend eval functions and the mvexpand command to analyze multivalue data