https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660712#M228110 <P>Please share the existing <FONT face="courier new,courier">eval</FONT> statement so someone can figure out how to add <FONT face="courier new,courier">mvfind</FONT>.</P> Fri, 13 Oct 2023 18:16:27 GMT richgalloway 2023-10-13T18:16:27Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660691#M228096 <P>I have two fields: DNS and DNS_Matched. The latter is a multi-value field. How can I see if a field value in DNS is in one&nbsp; of the multi-value field in DNS_Matched?</P><P>Example:<BR /><BR /></P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%" height="25px">DNS</TD><TD width="50%" height="25px">DNS_Matached</TD></TR><TR><TD width="50%" height="25px">host1</TD><TD width="50%" height="25px">host1<BR />host1-a<BR />host1-r</TD></TR><TR><TD width="50%" height="25px">host2</TD><TD width="50%" height="25px">host2<BR />host2-a<BR />host2-r</TD></TR></TBODY></TABLE> Fri, 13 Oct 2023 16:02:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660691#M228096 atebysandwich 2023-10-13T16:02:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660692#M228097 <P>Use the <FONT face="courier new,courier">mvfind</FONT> function.</P><LI-CODE lang="markup">| eval present=if(isnotnull(mvfind(DNS_Matched, DNS)),"yes", "no")</LI-CODE><P>&nbsp;</P> Fri, 13 Oct 2023 16:38:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660692#M228097 richgalloway 2023-10-13T16:38:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660708#M228106 <P>This worked in a vacuum but I get an error saying it's expecting IN when I tried adding it to existing Eval statement</P> Fri, 13 Oct 2023 17:52:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660708#M228106 atebysandwich 2023-10-13T17:52:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660712#M228110 <P>Please share the existing <FONT face="courier new,courier">eval</FONT> statement so someone can figure out how to add <FONT face="courier new,courier">mvfind</FONT>.</P> Fri, 13 Oct 2023 18:16:27 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660712#M228110 richgalloway 2023-10-13T18:16:27Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660716#M228113 <P>Matched=if(match(DNS,Identified_Host_Formatted) OR match(DNS,DNS_Matched),1,0)<BR /><BR /></P><P>I Would like to add the search you created to this. These existing only work on single valued fields</P> Fri, 13 Oct 2023 18:30:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660716#M228113 atebysandwich 2023-10-13T18:30:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660729#M228120 <P>Use <FONT face="courier new,courier">mvfind</FONT> in place of <FONT face="courier new,courier">match</FONT> for multi-value fields.</P> Fri, 13 Oct 2023 18:55:22 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660729#M228120 richgalloway 2023-10-13T18:55:22Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660890#M228177 <P>This didn't seem to work. I got error saying it could only use Boolean, or an error if around the if fucntion if I used isnotnull. Can you please type out waht you're thinking with the 3 clauses please?</P> Mon, 16 Oct 2023 15:37:34 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660890#M228177 atebysandwich 2023-10-16T15:37:34Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660891#M228178 <P>This is what I'm thinking.</P><LI-CODE lang="markup">Matched=if(isnotnull(mvfind(DNS,Identified_Host_Formatted)) OR isnotnull(mvfind(DNS,DNS_Matched)),1,0)</LI-CODE><P>If it doesn't work then please include the exact query you're testing in your reply.</P> Mon, 16 Oct 2023 15:41:31 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660891#M228178 richgalloway 2023-10-16T15:41:31Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660903#M228181 <P>The results were literally the same as my originally search. My search is not different now than what I used from yours.</P> Mon, 16 Oct 2023 16:46:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660903#M228181 atebysandwich 2023-10-16T16:46:25Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660904#M228182 <P>My requirements are, using mulit-values, if DNS is listed in DNS_Matched, have matched=1</P> Mon, 16 Oct 2023 16:47:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660904#M228182 atebysandwich 2023-10-16T16:47:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660916#M228185 <P>It's time to stop the piecemeal business.&nbsp; Please share the <STRONG>full</STRONG> (sanitized, if necessary) query that produces the current results and perhaps someone can find a way to produce the desired results.</P> Mon, 16 Oct 2023 17:37:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-search-for-Filed-Values-in-a-Different-Multi-Value/m-p/660916#M228185 richgalloway 2023-10-16T17:37:51Z