Splunk Search

FIltering a record out based on stats values

aferone
Builder

Greetings all.

I have this:

| stats dc(Indexer) AS conntected_indexers values(Indexer) as Connected by connectType sourceIp sourceHost Ver 

I have a list of indexers (ind1, ind2, ind3) that if they show up in values(indexer), I want to filter that entire line out of my report.

How would I do that?

Thanks!

0 Karma
1 Solution

jpolvino
Builder

You could use the mvfind command to tag rows that do match your exclude list, and then filter those rows away.

One way to do it, using a run-anywhere example:

| makeresults 
| eval raw="ind1,ind2,ind3"
| makemv delim="," raw
| eval deleteFound=mvfind(raw,"(ind2|ind3)")
| eval deleteNotFound=mvfind(raw,"(ind4|ind6)")

In this example, I created deleteFound to show a positive case. If the row has a non-null value for this field, it should be deleted. This can be done by adding this line to the end: | where isnull(deleteFound)

So after your stats command, try this:

| eval deleteFound=mvfind(Connected,"(ind1|ind2|ind3)")
| where isnull(deleteFound)

View solution in original post

0 Karma

jpolvino
Builder

You could use the mvfind command to tag rows that do match your exclude list, and then filter those rows away.

One way to do it, using a run-anywhere example:

| makeresults 
| eval raw="ind1,ind2,ind3"
| makemv delim="," raw
| eval deleteFound=mvfind(raw,"(ind2|ind3)")
| eval deleteNotFound=mvfind(raw,"(ind4|ind6)")

In this example, I created deleteFound to show a positive case. If the row has a non-null value for this field, it should be deleted. This can be done by adding this line to the end: | where isnull(deleteFound)

So after your stats command, try this:

| eval deleteFound=mvfind(Connected,"(ind1|ind2|ind3)")
| where isnull(deleteFound)
0 Karma

aferone
Builder

Your 2nd example works like a charm. Thank you!

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...