https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450562#M127581 <P>Hi rich, thanks for reply. I only get <CODE>Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.</CODE> when i do <CODE>| eval excludes = mvfilter( NOT in(mymvfield, 'exclude_me') )</CODE></P> Thu, 27 Jun 2019 12:32:18 GMT christoffertoft 2019-06-27T12:32:18Z https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450560#M127579 <P>I'm trying to exclude a value from a multivalue list, but it only works when I input the string as a value, not as a field.</P> <P>I understand that it takes a regex as part of its expression, so is there any way i can accommodate that?</P> <P>Example:<BR /> `<BR /> |makeresults<BR /> | eval mymvfield ="a b c"<BR /> | makemv mymvfield<BR /> | eval exclude_me = "b"<BR /> | eval excludes = mvfilter(NOT in(mymvfield, exclude_me))</P> <P>`</P> <P>Doesnt work.</P> <P><CODE><BR /> | eval mymvfield ="a b c"<BR /> | makemv mymvfield<BR /> | eval excludes = mvfilter(NOT in(mymvfield, "b"))<BR /> </CODE></P> <P>works however. Ive tried <CODE>$exclude_me$, "$exclude_me$"</CODE> etc without luck.. </P> <P>I need to be able to exclude a value per row, based on the current value of <CODE>exclude_me</CODE> .. There has to be a way for this?</P> Wed, 30 Sep 2020 01:07:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450560#M127579 christoffertoft 2020-09-30T01:07:18Z https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450561#M127580 <P>Have you tried <CODE>'exclude_me'</CODE>?</P> Thu, 27 Jun 2019 12:22:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450561#M127580 richgalloway 2019-06-27T12:22:51Z https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450562#M127581 <P>Hi rich, thanks for reply. I only get <CODE>Error in 'eval' command: The arguments to the 'mvfilter' function are invalid.</CODE> when i do <CODE>| eval excludes = mvfilter( NOT in(mymvfield, 'exclude_me') )</CODE></P> Thu, 27 Jun 2019 12:32:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450562#M127581 christoffertoft 2019-06-27T12:32:18Z https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450563#M127582 <P>If i do the logic <CODE>| where NOT 'exclude_me' in (mymvfield)</CODE> the logic works. as soon as i put the exact same string as the argument to the boolean logic in mvfilter it breaks.</P> Thu, 27 Jun 2019 12:34:13 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450563#M127582 christoffertoft 2019-06-27T12:34:13Z https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450564#M127583 <P>you could use a subsearch like:</P> <PRE><CODE>| makeresults | eval mymvfield ="a b c" | makemv mymvfield | eval excludes = mvfilter(NOT in(mymvfield, [| makeresults | eval search = "\"b\"" | return $search])) </CODE></PRE> <P><CODE>| eval search = "\"b\""</CODE> would be replaced with your actual search, then literally rename the field you want to <CODE>search</CODE><BR /> don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there<BR /> Note the value of <CODE>search</CODE> needs to be enclosed in <CODE>" "</CODE>, so you may need to do an eval before calling return to add the double quotes</P> Thu, 27 Jun 2019 12:56:54 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450564#M127583 jplumsdaine22 2019-06-27T12:56:54Z https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/511232#M143238 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/MultivalueEvalFunctions#mvfilter.28X.29" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/MultivalueEvalFunctions#mvfilter.28X.29</A></P><LI-CODE lang="markup">mvfilter(!MyField LIKE "%not_this_text%")</LI-CODE> Mon, 27 Jul 2020 21:29:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/511232#M143238 tmontney 2020-07-27T21:29:03Z https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/532043#M150301 <P>More than 1 year late, but a solution without any subsearch is :<BR /><BR /></P><LI-CODE lang="markup">| makeresults | eval mymvfield ="a b c" | makemv mymvfield | eval exclude_me = "b" | eval excludes = mvmap(mymvfield,if(!match(mymvfield,exclude_me),mymvfield,0)) |eval excludes = mvfilter(excludes!="0")</LI-CODE><P>`mvmap` will apply a condition on all the field of the multivalue fields (in this case replace the excluded fields with "0"<BR />then we filter on everything that is not "0"</P> Fri, 04 Dec 2020 15:53:49 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/532043#M150301 vgtk4431 2020-12-04T15:53:49Z https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/574220#M200116 <P>Great solution. using null or "" instead of 0 seems to exclude the need for the last mvfilter.</P> Tue, 09 Nov 2021 15:27:22 GMT https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/574220#M200116 elewis1 2021-11-09T15:27:22Z