Splunk Search

FIltering a record out based on stats values

aferone
Builder

Greetings all.

I have this:

| stats dc(Indexer) AS conntected_indexers values(Indexer) as Connected by connectType sourceIp sourceHost Ver 

I have a list of indexers (ind1, ind2, ind3) that if they show up in values(indexer), I want to filter that entire line out of my report.

How would I do that?

Thanks!

0 Karma
1 Solution

jpolvino
Builder

You could use the mvfind command to tag rows that do match your exclude list, and then filter those rows away.

One way to do it, using a run-anywhere example:

| makeresults 
| eval raw="ind1,ind2,ind3"
| makemv delim="," raw
| eval deleteFound=mvfind(raw,"(ind2|ind3)")
| eval deleteNotFound=mvfind(raw,"(ind4|ind6)")

In this example, I created deleteFound to show a positive case. If the row has a non-null value for this field, it should be deleted. This can be done by adding this line to the end: | where isnull(deleteFound)

So after your stats command, try this:

| eval deleteFound=mvfind(Connected,"(ind1|ind2|ind3)")
| where isnull(deleteFound)

View solution in original post

0 Karma

jpolvino
Builder

You could use the mvfind command to tag rows that do match your exclude list, and then filter those rows away.

One way to do it, using a run-anywhere example:

| makeresults 
| eval raw="ind1,ind2,ind3"
| makemv delim="," raw
| eval deleteFound=mvfind(raw,"(ind2|ind3)")
| eval deleteNotFound=mvfind(raw,"(ind4|ind6)")

In this example, I created deleteFound to show a positive case. If the row has a non-null value for this field, it should be deleted. This can be done by adding this line to the end: | where isnull(deleteFound)

So after your stats command, try this:

| eval deleteFound=mvfind(Connected,"(ind1|ind2|ind3)")
| where isnull(deleteFound)
0 Karma

aferone
Builder

Your 2nd example works like a charm. Thank you!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...