topic Re: Multivalue-Field Filter in Splunk Search

Multivalue-Field Filter

doki971 — Mon, 19 Jul 2021 09:59:59 GMT

I receive a bunch of messages that all are assigned to a group by the groupID.
I also have a dynamic set of a range as a Multivalue-Field, that needs to be used as a filter for these messages.

I tried it like this so far, but couldn't get any results:

index=my_index sourcetype=my_source | eval range=case("case1", mvrange(1,9), "case2", mvrange(10,19),...) | where groupID in (range) | stats count(_raw) as count by groupdID

So if case1 happens, i only want to see the amount of Messages in the specified groupID-range, and so on..

Can anyone help me with that ?

Re: Multivalue-Field Filter

ITWhisperer — Mon, 19 Jul 2021 10:06:11 GMT

Try something like this

index=my_index sourcetype=my_source | eval range=case("case1", mvrange(1,9), "case2", mvrange(10,19),...) | mvexpand range | where groupID=range | stats count by groupdID

Re: Multivalue-Field Filter

doki971 — Mon, 19 Jul 2021 12:16:51 GMT

Thank you for your Reply. Unfortunately that does not return any results either.

Re: Multivalue-Field Filter

kamlesh_vaghela — Mon, 19 Jul 2021 12:37:33 GMT

@doki971

Your approach should work.

I found typo (groupdID) in your search. Is this a reason for no results?

index=my_index sourcetype=my_source | eval range=case("case1", mvrange(1,9), "case2", mvrange(10,19),...) | where groupID in (range) | stats count(_raw) as count by groupID

Thanks
KV
▄︻̷̿┻̿═━一 ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: Multivalue-Field Filter

doki971 — Mon, 19 Jul 2021 13:06:04 GMT

Thanks for your reply. Sorry about the typo, but that is not the issue because in my actual search i am using different field names anyway - 'groupID' is just for a better visualization.

Hower i found out that if e.g. i add

| where groupID = 8

meaning i just want the messages for groupID 8, i get the following error:

Error in 'where' command: Type checking failed. The '==' operator received different types.

Could that be the issue ?

I also tried:

| where groupID = "8"

Then the search does not return an error but again also no results.

Re: Multivalue-Field Filter

ITWhisperer — Mon, 19 Jul 2021 13:08:16 GMT

| where tonumber(groupID)=8

Re: Multivalue-Field Filter

doki971 — Mon, 19 Jul 2021 13:38:50 GMT

@kamlesh_vaghela @ITWhisperer
So Here is a little follow up, as i am still not able to get any results:

These are the results without the 'where' clause:

index=my_index sourcetype=my_sourcetype | stats count by groupID

So e.g. there are 2398465 Events for the groupID 492.

However as soon as i add the 'where' clause:

index=my_index sourcetype=my_sourcetype | eval range=mvrange(492,545) | where groupID in (range) | stats count by groupID

I am not getting any results anymore.

Same goes for the above suggestions with:

| where groupID=492 OR | where tonumber(groupID)=492 OR | where groupID="492"

Any more ideas ?

Re: Multivalue-Field Filter

ITWhisperer — Mon, 19 Jul 2021 13:43:01 GMT

Try it the other way around

index=my_index sourcetype=my_sourcetype | stats count by groupID | eval range=mvrange(492,546) | where groupID in (range)

Re: Multivalue-Field Filter

doki971 — Mon, 19 Jul 2021 13:46:40 GMT

Sadly didn't change anything

Re: Multivalue-Field Filter

kamlesh_vaghela — Mon, 19 Jul 2021 13:49:19 GMT

@doki971

If you can share about the condition in case statements then we can search for optimum solution.

| eval range=case("case1", mvrange(1,9), "case2", mvrange(10,19),...)

like, case1 & case2.. how many case are there, etc

Re: Multivalue-Field Filter

doki971 — Mon, 19 Jul 2021 13:57:17 GMT

I am currently trying to get any results, hence why i left the 'case' statement out for now.
However here are the cases i will need for the future:

| eval range=case("case1", mvrange(493,511), "case2", mvrange(436,448), "case3", mvrange(470,480))