How to filter multivalue of strings by substring/c...

Kubousky · ‎03-23-2022

I need to filter multivalue of strings by substring/character.

field coordinatorsID: a##1, b##2, c##3, d##3

field expertiseLevel can be one of "1", "2", "3"

Exmple:

expertiseLevel = "3"

result -> c##3, d##3

What I tried:

attempt1:

| eval coordinatorsID_filtered = mvfilter(like(coordinatorsID,"%$expertiseLevel$")) error

attempt2:

| eval expertiseLevel = case(expertiseLevel == "1", "%1", expertiseLevel == "2", "%2", expertiseLevel == "3", "%3")

| eval coordinatorsID_filtered = mvfilter(like(coordinatorsID,$expertiseLevel$)) null

tshah-splunk · ‎03-23-2022

Hey @Kubousky,

If the field coordinatorsID is present as a column of the table, try expanding the field using mvexpand first, and then extract the field expertiseLevel from the coordinatorsID using regex. This will create a separate column for the expertiseLevel and then you can filter your data using the search command. Roughly your query should look something like this

<<your_base_query>>
| mvexpand coordinatorsID
| rex field=coordinatorsID "[a-zA-Z]##(?<expertiseLevel>\d)"
| search expertiseLevel="3"

---
If you find the answer helpful, an upvote/karma is appreciated

How to filter multivalue of strings by substring/character?

table

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to filter multivalue of strings by substring/character?

table

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25