topic Re: How do I exclude fields with certain values from a table when the event has multiple values for the same fields? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-exclude-fields-with-certain-values-from-a-table-when/m-p/317815#M95094 <P>If you are trying to eliminate just the words from the multivalue field, then use <CODE>mvfilter()</CODE>.</P> <PRE><CODE>| eval Indicator=mvfilter(NOT match(Indicator,"^(POLICY_TERMINATE|MALWARE_DROP)$")) </CODE></PRE> <P>The doc is on this page... </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/MultivalueEvalFunctions">http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/MultivalueEvalFunctions</A></P> <P>And here are a couple of related answers...</P> <P><A href="https://answers.splunk.com/answers/13382/removing-some-field-values-from-a-mulitiple-value-field.html">https://answers.splunk.com/answers/13382/removing-some-field-values-from-a-mulitiple-value-field.html</A></P> <P><A href="https://answers.splunk.com/answers/346961/remove-multiple-values-from-a-multi-value-field.html">https://answers.splunk.com/answers/346961/remove-multiple-values-from-a-multi-value-field.html</A></P> Thu, 19 Oct 2017 02:26:56 GMT DalJeanis 2017-10-19T02:26:56Z How do I exclude fields with certain values from a table when the event has multiple values for the same fields? https://community.splunk.com/t5/Splunk-Search/How-do-I-exclude-fields-with-certain-values-from-a-table-when/m-p/317814#M95093 <P>Hi,</P> <P>As the title says. Refer to the screenshot below too;</P> <P><span class="lia-inline-image-display-wrapper" image-alt="The event"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3695iA04DD77EAFBFDCF8/image-size/large?v=v2&amp;px=999" role="button" title="The event" alt="The event" /></span><BR /> The above is the log for the event. as you can see, there are multiple indicatorName in a single event.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="The table"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3696iFA36077C49A8698A/image-size/large?v=v2&amp;px=999" role="button" title="The table" alt="The table" /></span><BR /> And this is the table when I do a top. However, I only want certain values to show. E.g. Only show <CODE>indicatorName: DETECTED_MALWARE_APP</CODE> and not <CODE>indicatorName: CODE_DROP</CODE>.</P> Thu, 19 Oct 2017 01:22:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-exclude-fields-with-certain-values-from-a-table-when/m-p/317814#M95093 ZacEsa 2017-10-19T01:22:28Z Re: How do I exclude fields with certain values from a table when the event has multiple values for the same fields? https://community.splunk.com/t5/Splunk-Search/How-do-I-exclude-fields-with-certain-values-from-a-table-when/m-p/317815#M95094 <P>If you are trying to eliminate just the words from the multivalue field, then use <CODE>mvfilter()</CODE>.</P> <PRE><CODE>| eval Indicator=mvfilter(NOT match(Indicator,"^(POLICY_TERMINATE|MALWARE_DROP)$")) </CODE></PRE> <P>The doc is on this page... </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/MultivalueEvalFunctions">http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/MultivalueEvalFunctions</A></P> <P>And here are a couple of related answers...</P> <P><A href="https://answers.splunk.com/answers/13382/removing-some-field-values-from-a-mulitiple-value-field.html">https://answers.splunk.com/answers/13382/removing-some-field-values-from-a-mulitiple-value-field.html</A></P> <P><A href="https://answers.splunk.com/answers/346961/remove-multiple-values-from-a-multi-value-field.html">https://answers.splunk.com/answers/346961/remove-multiple-values-from-a-multi-value-field.html</A></P> Thu, 19 Oct 2017 02:26:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-exclude-fields-with-certain-values-from-a-table-when/m-p/317815#M95094 DalJeanis 2017-10-19T02:26:56Z Re: How do I exclude fields with certain values from a table when the event has multiple values for the same fields? https://community.splunk.com/t5/Splunk-Search/How-do-I-exclude-fields-with-certain-values-from-a-table-when/m-p/317816#M95095 <P>I tried it with <CODE>eval threatInfo.indicators{}.indicatorName=mvfilter(match(threatInfo.indicators{}.indicatorName, "DETECTED_MALWARE_APP"))</CODE> but it's throwing <CODE>Error in 'eval' command: The expression is malformed. Expected ).</CODE></P> Thu, 19 Oct 2017 03:08:43 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-exclude-fields-with-certain-values-from-a-table-when/m-p/317816#M95095 ZacEsa 2017-10-19T03:08:43Z Re: How do I exclude fields with certain values from a table when the event has multiple values for the same fields? https://community.splunk.com/t5/Splunk-Search/How-do-I-exclude-fields-with-certain-values-from-a-table-when/m-p/317817#M95096 <P>Nevermind, found out the issue. Splunk doesn't like it when my field name is <CODE>threatInfo.indicators{}.indicatorName</CODE>. Had to rename it to something else and then it worked. Thank you! Will mark your answer as correct now.</P> Thu, 19 Oct 2017 03:13:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-exclude-fields-with-certain-values-from-a-table-when/m-p/317817#M95096 ZacEsa 2017-10-19T03:13:15Z