Solved: Re: How to remove a single value from a mv field?

richtate · ‎12-09-2022

Good morning/afternoon/evening,

I have a field (registeredIp) that sometimes will not have an IP address in it, it will be an error message instead. I use this field as my primary key for removing duplicates so I need this field to have the IP. I also capture all associated IPs (management cards, multi homed NICs, etc.) that show the IP as a mv field array such as in this example:

ipAddress: (10.42.103.94,172.19.22.224,143.182.146.182,10.9.35.59)

I've used an IF statement with MATCH to get the first IP address (usually the production IP I need) but it only returns true in the registeredIp field.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",match(ipAddress,"^(?:[0-9]{1,3}\.){3}[0-9]{1,3}"),registrationIp)

In this case I need registrationIp to equal 10.42.103.94, not True.

Any help getting the first IP address into this field would be appreciated. Thanks!

bowesmana · ‎12-11-2022

@richtate Quick tip - avoid replying to your own question, as it then shows it as having one reply and often that will be skipped by contributors as they assume there's already an answer - use edit instead.

I am guessing your 'registeredIp' referred to is the same as registrationIp, so the easy option to grap a single entry from a MV field is to use mvindex, e.g.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",mvindex(ipAddress,0),registrationIp)

It takes the index of the IP you want - you can use -1 for the last entry.

Given the subject of this post about 'removing' an IP, then mvfilter is also another useful MV function, e.g. you can 'remove' all ip addresses starting with a 10. with

| eval filteredIpAddress=mvfilter(!match(ipAddress, "^10\."))

Hope this helps

View solution in original post

bowesmana · ‎12-11-2022

@richtate Quick tip - avoid replying to your own question, as it then shows it as having one reply and often that will be skipped by contributors as they assume there's already an answer - use edit instead.

I am guessing your 'registeredIp' referred to is the same as registrationIp, so the easy option to grap a single entry from a MV field is to use mvindex, e.g.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",mvindex(ipAddress,0),registrationIp)

It takes the index of the IP you want - you can use -1 for the last entry.

Given the subject of this post about 'removing' an IP, then mvfilter is also another useful MV function, e.g. you can 'remove' all ip addresses starting with a 10. with

| eval filteredIpAddress=mvfilter(!match(ipAddress, "^10\."))

Hope this helps

richtate · ‎12-12-2022

Thanks for the 'edit' tip, I didn't see that option until you click the drop down arrow at the top of the post. Appreciate the training on how to use this forum!

Also, you are correct, it's registrationIp through out. I have a lot to learn about mv fields, thanks again.

bowesmana · ‎12-12-2022

If you are using Splunk 9, there are some modifications to the foreach command to be able to work with MV fields.

richtate · ‎12-09-2022

Also, I tried using mvexpand and all that did was increase entries by the number of IP addresses. I need one IP for each server only.

How to remove a single value from a mv field?

using Splunk Enterprise

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services