Re: search a value in a field having collective da...

nagar57 · ‎01-14-2020

I am having a lookup which have collective values like the screenshot below:

It contains collective values for pKey field. pKey field is getting calculated by doing lookup to another lookup which is returning the collective data.
I want to search a value inside this field like below

| inputlookup test_key_vatson.csv
|eval
test_flag=if("5e1d9bbb43a6f560c35c89c1"
IN(pKey),"True","False")

This is not giving the correct result as below:

to4kawa · ‎01-14-2020

| makeresults 
| eval _raw="email_id,flag,pKey,report_type
dinesh.wadhwa@aexp.com,open,5e1d9bbb43a6f560c35c89c1,upcoming_offers
naman.agarwal@aexp.com,open,5e1d9d4c43a6f52a50596021," 
| multikv forceheader=1 
| stats list(*) as * by _time 
| table email_id,flag,pKey,report_type
    `comment("this is sample you provide")` 
| eval flag=if(match(pKey,"5e1d9bbb43a6f560c35c89c1"),"True","False")

Hi, @nagar57
match is useful.
You can use both multi and single field values.

aberkow · ‎01-14-2020

Since you're working with a multivalue field, you want to use multivalue commands https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/MultivalueEvalFunctions#mvfilter..... Below are two examples of things that should work (matching a regex block or filtering down to just that row):

| makeresults count=2
| streamstats count
| eval letter=if(count=1, "a", "b")
| stats values(letter) as letter
| eval letterExists=if(match(letter, "a"),1,0)
| eval letterFiltered=mvfilter(match(letter, "a"))

Hope this helps 🙂

search a value in a field having collective data

kvstore

Customer Experience | Splunk 2024: New Onboarding Resources

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...