Splunk Enterprise

How to remove a single value from a mv field?

richtate
Path Finder

Good morning/afternoon/evening,

I have a field (registeredIp) that sometimes will not have an IP address in it, it will be an error message instead.  I use this field as my primary key for removing duplicates so I need this field to have the IP.  I also capture all associated IPs (management cards, multi homed NICs, etc.) that show the IP as a mv field array such as in this example:

ipAddress: (10.42.103.94,172.19.22.224,143.182.146.182,10.9.35.59)

I've used an IF statement with MATCH to get the first IP address (usually the production IP I need) but it only returns true in the registeredIp field.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",match(ipAddress,"^(?:[0-9]{1,3}\.){3}[0-9]{1,3}"),registrationIp)

In this case I need registrationIp to equal 10.42.103.94, not True.

Any help getting the first IP address into this field would be appreciated.  Thanks!

 

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

@richtate  Quick tip - avoid replying to your own question, as it then shows it as having one reply and often that will be skipped by contributors as they assume there's already an answer - use edit instead.

I am guessing your 'registeredIp' referred to is the same as registrationIp, so the easy option to grap a single entry from a MV field is to use mvindex, e.g.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",mvindex(ipAddress,0),registrationIp)

It takes the index of the IP you want - you can use -1 for the last entry.

Given the subject of this post about 'removing' an IP, then mvfilter is also another useful MV function, e.g. you can 'remove' all ip addresses starting with a 10. with

| eval filteredIpAddress=mvfilter(!match(ipAddress, "^10\."))

Hope this helps

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

@richtate  Quick tip - avoid replying to your own question, as it then shows it as having one reply and often that will be skipped by contributors as they assume there's already an answer - use edit instead.

I am guessing your 'registeredIp' referred to is the same as registrationIp, so the easy option to grap a single entry from a MV field is to use mvindex, e.g.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",mvindex(ipAddress,0),registrationIp)

It takes the index of the IP you want - you can use -1 for the last entry.

Given the subject of this post about 'removing' an IP, then mvfilter is also another useful MV function, e.g. you can 'remove' all ip addresses starting with a 10. with

| eval filteredIpAddress=mvfilter(!match(ipAddress, "^10\."))

Hope this helps

richtate
Path Finder

Thanks for the 'edit' tip, I didn't see that option until you click the drop down arrow at the top of the post.  Appreciate the training on how to use this forum!

Also, you are correct, it's registrationIp through out.  I have a lot to learn about mv fields, thanks again.

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

If you are using Splunk 9, there are some modifications to the foreach command to be able to work with MV fields.

 

0 Karma

richtate
Path Finder

Also, I tried using mvexpand and all that did was increase entries by the number of IP addresses.  I need one IP for each server only.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...