Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove a single value from a mv field?

richtate
Path Finder
‎12-09-2022 08:30 AM

Good morning/afternoon/evening,

I have a field (registeredIp) that sometimes will not have an IP address in it, it will be an error message instead.  I use this field as my primary key for removing duplicates so I need this field to have the IP.  I also capture all associated IPs (management cards, multi homed NICs, etc.) that show the IP as a mv field array such as in this example:

ipAddress: (10.42.103.94,172.19.22.224,143.182.146.182,10.9.35.59)

I've used an IF statement with MATCH to get the first IP address (usually the production IP I need) but it only returns true in the registeredIp field.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",match(ipAddress,"^(?:[0-9]{1,3}\.){3}[0-9]{1,3}"),registrationIp)

In this case I need registrationIp to equal 10.42.103.94, not True.

Any help getting the first IP address into this field would be appreciated.  Thanks!

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-11-2022 03:33 PM

@richtate  Quick tip - avoid replying to your own question, as it then shows it as having one reply and often that will be skipped by contributors as they assume there's already an answer - use edit instead.

I am guessing your 'registeredIp' referred to is the same as registrationIp, so the easy option to grap a single entry from a MV field is to use mvindex, e.g.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",mvindex(ipAddress,0),registrationIp)

It takes the index of the IP you want - you can use -1 for the last entry.

Given the subject of this post about 'removing' an IP, then mvfilter is also another useful MV function, e.g. you can 'remove' all ip addresses starting with a 10. with

| eval filteredIpAddress=mvfilter(!match(ipAddress, "^10\."))

Hope this helps

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-11-2022 03:33 PM

@richtate  Quick tip - avoid replying to your own question, as it then shows it as having one reply and often that will be skipped by contributors as they assume there's already an answer - use edit instead.

I am guessing your 'registeredIp' referred to is the same as registrationIp, so the easy option to grap a single entry from a MV field is to use mvindex, e.g.

| eval registrationIp=if(registrationIp="null" OR registrationIp="Singular expression refers to nonexistent object.",mvindex(ipAddress,0),registrationIp)

It takes the index of the IP you want - you can use -1 for the last entry.

Given the subject of this post about 'removing' an IP, then mvfilter is also another useful MV function, e.g. you can 'remove' all ip addresses starting with a 10. with

| eval filteredIpAddress=mvfilter(!match(ipAddress, "^10\."))

Hope this helps

Reply
Solved! Jump to solution

richtate
Path Finder
‎12-12-2022 08:11 AM

Thanks for the 'edit' tip, I didn't see that option until you click the drop down arrow at the top of the post.  Appreciate the training on how to use this forum!

Also, you are correct, it's registrationIp through out.  I have a lot to learn about mv fields, thanks again.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2022 01:54 PM

If you are using Splunk 9, there are some modifications to the foreach command to be able to work with MV fields.

 

0 Karma
Reply
Solved! Jump to solution

richtate
Path Finder
‎12-09-2022 02:47 PM

Also, I tried using mvexpand and all that did was increase entries by the number of IP addresses.  I need one IP for each server only.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...

We understand that your initial experience with getting data into Splunk Observability Cloud is crucial as it ...