Re: filter multivalue of strings by substring/char...

Kubousky · ‎03-23-2022

I need to filter multivalue of strings by substring/character.

field coordinatorsID: a##1, b##2, c##3, d##3

field expertiseLevel can be one of "1", "2", "3"

Exmple:

expertiseLevel = "3"

result -> c##3, d##3

What I tried:

attempt1:

| eval coordinatorsID_filtered = mvfilter(like(coordinatorsID,"%$expertiseLevel$")) error

attempt2:

| eval expertiseLevel = case(expertiseLevel == "1", "%1", expertiseLevel == "2", "%2", expertiseLevel == "3", "%3")

| eval coordinatorsID_filtered = mvfilter(like(coordinatorsID,$expertiseLevel$)) null

tshah-splunk · ‎03-23-2022

Hey @Kubousky,

If the field coordinatorsID is present as a column of the table, try expanding the field using mvexpand first, and then extract the field expertiseLevel from the coordinatorsID using regex. This will create a separate column for the expertiseLevel and then you can filter your data using the search command. Roughly your query should look something like this

<<your_base_query>>
| mvexpand coordinatorsID
| rex field=coordinatorsID "[a-zA-Z]##(?<expertiseLevel>\d)"
| search expertiseLevel="3"

---
If you find the answer helpful, an upvote/karma is appreciated

How to filter multivalue of strings by substring/character?

table

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?