All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Having some trouble with sub searches and makemv/mvexpand

sunnyd
Engager
‎11-06-2015 12:49 PM

Im trying to do some data mining on twitter for a project. I trying to find keywords that are most popular, and then remove the stop words using a CSV lookup.

Here is my query: 

index=football-twitter lang=en earliest=-15m@m latest=@m
| eval foo=text
| makemv foo
| mvexpand foo
| search foo NOT
    [ 
    | inputlookup StopWords.csv 
    | rename Words AS foo ]
| top foo limit=1
| table foo

This does not work.

but if I use a slightly different query, it works. 

index=football-twitter lang=en earliest=-15m@m latest=@m
| makemv text
| mvexpand text
| search text NOT
    [ 
    | inputlookup StopWords.csv 
    | rename Words AS text ]
| top text limit=1
| table text

What I want to do, is create a time chart of the usage of the top keyword, and also use the sentiment app to generate a sentiment time chart . Something like - 

index=football-twitter lang=en
    [search index=football-twitter lang=en earliest=-15m@m latest=@m
    | makemv text
    | mvexpand text
    | search text NOT
        [ 
            | inputlookup StopWords.csv 
            | rename Words AS text ]
    | top text limit=1
    | table text] 
| sentiment twitter text
| timechart avg(sentiment)

but the query above does not seem to work either.

Any help would be greatly appreciated.

Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎11-07-2015 04:05 PM

Sometimes you will have problems with eval if you do not put the RHV string-literal in double-quotes. For example, try this:

... | inputcsv YourFile.csv | eval newField=ThisIsAValueNotAFieldName

The above will NOT create newField but the following will:

... | inputcsv YourFile.csv | eval newField="ThisIsAValueNotAFieldName"

So try changing this part:

| eval foo=text

To this:

| eval foo="text"
0 Karma
Reply

woodcock
Esteemed Legend
‎11-25-2015 01:20 PM

Did this work for you?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...