topic Re: Remove multiple values from a multi-value field in Splunk Search https://community.splunk.com/t5/Splunk-Search/Remove-multiple-values-from-a-multi-value-field/m-p/245896#M73314 <P>I would use mvfilter, specially in the cases where patterns to be filtered is small and entities in mv field is high. Like this</P> <PRE><CODE>| gentimes start=-1 | eval field1="pink,fluffy,unicorns" | table field1 | makemv field1 delim="," | eval field1_filtered=mvfilter(NOT match(field1,"pink") AND NOT match(field1,"fluffy")) </CODE></PRE> Fri, 22 Jan 2016 21:34:32 GMT somesoni2 2016-01-22T21:34:32Z Remove multiple values from a multi-value field https://community.splunk.com/t5/Splunk-Search/Remove-multiple-values-from-a-multi-value-field/m-p/245895#M73313 <P>I would like to remove multiple values from a multi-value field.</P> <P>Example:</P> <P>field_multivalue = pink,fluffy,unicorns</P> <P>Remove pink and fluffy so that:</P> <P>field_multivalue = unicorns</P> <P>I am thinking maybe:</P> <PRE><CODE>| stats values(field1) AS field_multivalue by field2 | mvfilter </CODE></PRE> <P>OR</P> <PRE><CODE>| stats values(field1) AS field_multivalue by field2 | mvexpand field_multivalue | search field_multivalue!="pink" field_multivalue!="fluffy" | mvcombine field_multivalue </CODE></PRE> <P>How would you recommend doing this? The list of values to filter out is over a dozen.</P> Fri, 22 Jan 2016 20:33:56 GMT https://community.splunk.com/t5/Splunk-Search/Remove-multiple-values-from-a-multi-value-field/m-p/245895#M73313 landen99 2016-01-22T20:33:56Z Re: Remove multiple values from a multi-value field https://community.splunk.com/t5/Splunk-Search/Remove-multiple-values-from-a-multi-value-field/m-p/245896#M73314 <P>I would use mvfilter, specially in the cases where patterns to be filtered is small and entities in mv field is high. Like this</P> <PRE><CODE>| gentimes start=-1 | eval field1="pink,fluffy,unicorns" | table field1 | makemv field1 delim="," | eval field1_filtered=mvfilter(NOT match(field1,"pink") AND NOT match(field1,"fluffy")) </CODE></PRE> Fri, 22 Jan 2016 21:34:32 GMT https://community.splunk.com/t5/Splunk-Search/Remove-multiple-values-from-a-multi-value-field/m-p/245896#M73314 somesoni2 2016-01-22T21:34:32Z