https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-results-from-splunk-search-from-a-set-criteria/m-p/483854#M193385 <P>Thanks Tikar</P> <P>Added "where !=" to remove the blank rows </P> <P>Appreciate your Help</P> Thu, 16 Jan 2020 13:50:03 GMT NayneshPatel 2020-01-16T13:50:03Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-results-from-splunk-search-from-a-set-criteria/m-p/483852#M193383 <P>I have a raw the i extract and filter and table them according to Country<BR /> _raw</P> <PRE><CODE>[{"Conutry":"America","State":"Nevada","Building":"Small"}, {"Conutry":"America","State":"Nevada","Building":"Medium"}, {"Conutry":"America","State":"Nevada","Building":"Large"}, {"Conutry":"Canada","State":"Montreal","Building":"Small"}, {"Conutry":"Canada","State":"Montreal","Building":"Medium"}, {"Conutry":"Canada","State":"Montreal","Building":"Large"} {"Conutry":"Spain","State":"Barcelona","Building":"Small"}, {"Conutry":"Spain","State":"Barcelona","Building":"Medium"}, {"Conutry":"Spain","State":"Barcelona","Building":"Large"}, {"Conutry":"Spain","State":"Barcelona","Building":"Extra_Large"}] etc.... </CODE></PRE> <P>My Search is:</P> <PRE><CODE>index=xyz | sourcepath=xyz | rename {}.* as * | eval tmp=mvzip(mvzip(Conutry,State),Building) | mvexpand tmp | eval Conutry=mvindex(split(tmp,","),0),State=mvindex(split(tmp,","),1),Building=mvindex(split(tmp,","),2) | table Conutry, State, Building </CODE></PRE> <P>My Results are grouped by country as follows</P> <PRE><CODE>Country..../....State..../...Building America......Nevada........Small ....................Nevada.........Medium ....................Nevada.........Large Canada.......Montreal......Small ....................Montreal.......Medium ....................Montreal.......Large Spain.........Barcelona......Small ...................Barcelona......Medium ...................Barcelona......Large ...................Barcelona......Extra_Large etc.... </CODE></PRE> <P>How do i search or filter out the "Building" Column so that if it contains anything OTHER THAN "Small\Medium\Large", display the results. Note the field "Extra_Large" is NOT the same and can be any word</P> <P>Expected Results should be</P> <PRE><CODE>Country..../....State..../...Building Spain.........Barcelona......Small ...................Barcelona......Medium ...................Barcelona......Large ...................Barcelona......Extra_Large France.......Paris................Small ...................Paris................Medium ...................Paris................Large ...................Paris................Too_Small </CODE></PRE> <P>Any help appreciated</P> Thu, 16 Jan 2020 12:06:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-results-from-splunk-search-from-a-set-criteria/m-p/483852#M193383 NayneshPatel 2020-01-16T12:06:41Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-results-from-splunk-search-from-a-set-criteria/m-p/483853#M193384 <P>Hi @NayneshPatel :</P> <P>Can you try by <STRONG><EM>mvfilter</EM></STRONG>, her an example that can filter Building:</P> <PRE><CODE>| makeresults | eval HRA="Small,Medium,Large,Extra_Large,Too_Small" | eval HRA=split(HRA,",") | mvexpand HRA | stats values(HRA) as HRA | eval x=mvfilter(NOT (like(HRA,"Medium") OR like(HRA,"Small") OR like(HRA,"Large"))) </CODE></PRE> Thu, 16 Jan 2020 13:34:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-results-from-splunk-search-from-a-set-criteria/m-p/483853#M193384 TISKAR 2020-01-16T13:34:10Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-results-from-splunk-search-from-a-set-criteria/m-p/483854#M193385 <P>Thanks Tikar</P> <P>Added "where !=" to remove the blank rows </P> <P>Appreciate your Help</P> Thu, 16 Jan 2020 13:50:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-out-results-from-splunk-search-from-a-set-criteria/m-p/483854#M193385 NayneshPatel 2020-01-16T13:50:03Z