topic How to mvfilter() the results of mvappend()? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-mvfilter-the-results-of-mvappend/m-p/596189#M207540 <P>I have several fields I want to lump into 1 multivalue field and remove blanks.</P> <P>At the start of an event, there are up to 6 IP Addresses, either internal or external, but not both (they are the source IP, plus any LB hops along the way). They get extracted to either internal_src_ip# or external_src_ip#.&nbsp; If it is an internal IP, then the external_src_ip# will be "-", i.e. blank.</P> <P>If I run&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| eval OriginIP2 = mvappend(internal_src_ip, external_src_ip, internal_src_ip2, external_src_ip2, internal_src_ip3, external_src_ip3, internal_src_ip4, external_src_ip4, internal_src_ip5, external_src_ip5, internal_src_ip6, external_src_ip6 ) | eval OriginIP2 = mvfilter( match( OriginIP2, "^(?!-)" ) )</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I get exactly what I want. A multivalue list in the field "OriginIP2" with "-" removed.</P> <P>However putting it together in 1 line (to automate as a Calculated Field) gives me an error.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| eval OriginIP2 = mvfilter( match( mvappend(internal_src_ip, external_src_ip, internal_src_ip2, external_src_ip2, internal_src_ip3, external_src_ip3, internal_src_ip4, external_src_ip4, internal_src_ip5, external_src_ip5, internal_src_ip6, external_src_ip6 ), "^(?!-)") )</LI-CODE><LI-CODE lang="markup">Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>As I read the docs, mvappend() should be returning a single mv field for match() to operate on, and then for match() to send to mvfilter().</P> <P>&nbsp;</P> <P>What am I missing?</P> Tue, 03 May 2022 16:00:31 GMT woodams 2022-05-03T16:00:31Z How to mvfilter() the results of mvappend()? https://community.splunk.com/t5/Splunk-Search/How-to-mvfilter-the-results-of-mvappend/m-p/596189#M207540 <P>I have several fields I want to lump into 1 multivalue field and remove blanks.</P> <P>At the start of an event, there are up to 6 IP Addresses, either internal or external, but not both (they are the source IP, plus any LB hops along the way). They get extracted to either internal_src_ip# or external_src_ip#.&nbsp; If it is an internal IP, then the external_src_ip# will be "-", i.e. blank.</P> <P>If I run&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| eval OriginIP2 = mvappend(internal_src_ip, external_src_ip, internal_src_ip2, external_src_ip2, internal_src_ip3, external_src_ip3, internal_src_ip4, external_src_ip4, internal_src_ip5, external_src_ip5, internal_src_ip6, external_src_ip6 ) | eval OriginIP2 = mvfilter( match( OriginIP2, "^(?!-)" ) )</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I get exactly what I want. A multivalue list in the field "OriginIP2" with "-" removed.</P> <P>However putting it together in 1 line (to automate as a Calculated Field) gives me an error.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| eval OriginIP2 = mvfilter( match( mvappend(internal_src_ip, external_src_ip, internal_src_ip2, external_src_ip2, internal_src_ip3, external_src_ip3, internal_src_ip4, external_src_ip4, internal_src_ip5, external_src_ip5, internal_src_ip6, external_src_ip6 ), "^(?!-)") )</LI-CODE><LI-CODE lang="markup">Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>As I read the docs, mvappend() should be returning a single mv field for match() to operate on, and then for match() to send to mvfilter().</P> <P>&nbsp;</P> <P>What am I missing?</P> Tue, 03 May 2022 16:00:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-mvfilter-the-results-of-mvappend/m-p/596189#M207540 woodams 2022-05-03T16:00:31Z Re: mvfilter() the results of mvappend() https://community.splunk.com/t5/Splunk-Search/How-to-mvfilter-the-results-of-mvappend/m-p/596220#M207550 <P>As the documentation says, mvfilter requires a reference to a mv-field (not a field), which is why your command throws an error. Try something like this:</P><LI-CODE lang="markup">| eval OriginIP2 = mvappend(if(internal_src_ip="-",null(),internal_src_ip), if(external_src_ip="-",null(),external_src_ip), if(internal_src_ip2="-",null(),internal_src_ip2), if(external_src_ip2="-",null(),external_src_ip2), if(internal_src_ip3="-",null(),internal_src_ip3),if(external_src_ip3="-",null(),external_src_ip3), if(internal_src_ip4="-",null(),internal_src_ip4), if(external_src_ip4="-",null(),external_src_ip4),if(internal_src_ip5="-",null(),internal_src_ip5), if(external_src_ip5="-",null(),external_src_ip5), if(internal_src_ip6="-",null(),internal_src_ip6), if(external_src_ip6="-",null(),external_src_ip6))</LI-CODE> Tue, 03 May 2022 07:37:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-mvfilter-the-results-of-mvappend/m-p/596220#M207550 ITWhisperer 2022-05-03T07:37:11Z