How to exclude some keyword by using mvfilter?

super_saiyan · ‎04-21-2022

Hi all,

i want to hide / delete / exclude some keyword like " supersaiyan" , "leave" from the below event using mvfilter. can anyone please tell me how to do it ?

| makeresults
| eval target_text="My name is supersaiyan, leave this to me"

Thanks

isoutamo · ‎04-21-2022

Hi

when you have normal field (not multivalue) then you can do it like

| makeresults
| fields - _time
| eval target_text="My name is supersaiyan, leave this to me"
| rex mode=sed field=target_text "s/(supersaiyan|leave)//g"

r. Ismo

super_saiyan · ‎04-21-2022

thanks for your quick response @isoutamo .

This is for testing purpose, but i do have multi field values. could you please guide me how do this same thing using mvfilter.

Thanks

isoutamo · ‎04-21-2022

With mvfilter you can select items which contains that regex which you are looking. It's not remove those content like above rex.
https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/MultivalueEvalFunctions#mvfilter....

super_saiyan · ‎04-21-2022

any thoughts ? @isoutamo

How to exclude some keyword by using mvfilter?

troubleshooting

using Splunk Enterprise

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor