Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove a single value from a mv field?

richtate
Path Finder
‎12-09-2022 08:30 AM

Good morning/afternoon/evening,

I have a field (registeredIp) that sometimes will not have an IP address in it, it will be an error message instead.  I use this field as my primary key for removing duplicates so I need this field to have the IP.  I also capture all associated IPs (management cards, multi homed NICs, etc.) that show the IP as a mv field array such as in this example:

ipAddress: (10.42.103.94,172.19.22.224,143.182.146.182,10.9.35.59)

I've used an IF statement with MATCH to get the first IP address (usually the production IP I need) but it only returns true in the registeredIp field.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",match(ipAddress,"^(?:[0-9]{1,3}\.){3}[0-9]{1,3}"),registrationIp)

In this case I need registrationIp to equal 10.42.103.94, not True.

Any help getting the first IP address into this field would be appreciated.  Thanks!

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-11-2022 03:33 PM

@richtate  Quick tip - avoid replying to your own question, as it then shows it as having one reply and often that will be skipped by contributors as they assume there's already an answer - use edit instead.

I am guessing your 'registeredIp' referred to is the same as registrationIp, so the easy option to grap a single entry from a MV field is to use mvindex, e.g.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",mvindex(ipAddress,0),registrationIp)

It takes the index of the IP you want - you can use -1 for the last entry.

Given the subject of this post about 'removing' an IP, then mvfilter is also another useful MV function, e.g. you can 'remove' all ip addresses starting with a 10. with

| eval filteredIpAddress=mvfilter(!match(ipAddress, "^10\."))

Hope this helps

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-11-2022 03:33 PM

@richtate  Quick tip - avoid replying to your own question, as it then shows it as having one reply and often that will be skipped by contributors as they assume there's already an answer - use edit instead.

I am guessing your 'registeredIp' referred to is the same as registrationIp, so the easy option to grap a single entry from a MV field is to use mvindex, e.g.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",mvindex(ipAddress,0),registrationIp)

It takes the index of the IP you want - you can use -1 for the last entry.

Given the subject of this post about 'removing' an IP, then mvfilter is also another useful MV function, e.g. you can 'remove' all ip addresses starting with a 10. with

| eval filteredIpAddress=mvfilter(!match(ipAddress, "^10\."))

Hope this helps

Reply
Solved! Jump to solution

richtate
Path Finder
‎12-12-2022 08:11 AM

Thanks for the 'edit' tip, I didn't see that option until you click the drop down arrow at the top of the post.  Appreciate the training on how to use this forum!

Also, you are correct, it's registrationIp through out.  I have a lot to learn about mv fields, thanks again.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2022 01:54 PM

If you are using Splunk 9, there are some modifications to the foreach command to be able to work with MV fields.

 

0 Karma
Reply
Solved! Jump to solution

richtate
Path Finder
‎12-09-2022 02:47 PM

Also, I tried using mvexpand and all that did was increase entries by the number of IP addresses.  I need one IP for each server only.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...