Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I exclude fields with certain values from a table when the event has multiple values for the same fields?

ZacEsa
Communicator
‎10-18-2017 06:22 PM

Hi,

As the title says. Refer to the screenshot below too;

The event
The above is the log for the event. as you can see, there are multiple indicatorName in a single event.

The table
And this is the table when I do a top. However, I only want certain values to show. E.g. Only show indicatorName: DETECTED_MALWARE_APP and not indicatorName: CODE_DROP.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-18-2017 07:26 PM

If you are trying to eliminate just the words from the multivalue field, then use mvfilter().

| eval Indicator=mvfilter(NOT match(Indicator,"^(POLICY_TERMINATE|MALWARE_DROP)$"))

The doc is on this page...

http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/MultivalueEvalFunctions

And here are a couple of related answers...

https://answers.splunk.com/answers/13382/removing-some-field-values-from-a-mulitiple-value-field.htm...

https://answers.splunk.com/answers/346961/remove-multiple-values-from-a-multi-value-field.html

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎10-18-2017 07:26 PM

If you are trying to eliminate just the words from the multivalue field, then use mvfilter().

| eval Indicator=mvfilter(NOT match(Indicator,"^(POLICY_TERMINATE|MALWARE_DROP)$"))

The doc is on this page...

http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/MultivalueEvalFunctions

And here are a couple of related answers...

https://answers.splunk.com/answers/13382/removing-some-field-values-from-a-mulitiple-value-field.htm...

https://answers.splunk.com/answers/346961/remove-multiple-values-from-a-multi-value-field.html

Reply
Solved! Jump to solution

ZacEsa
Communicator
‎10-18-2017 08:08 PM

I tried it with eval threatInfo.indicators{}.indicatorName=mvfilter(match(threatInfo.indicators{}.indicatorName, "DETECTED_MALWARE_APP")) but it's throwing Error in 'eval' command: The expression is malformed. Expected ).

0 Karma
Reply
Solved! Jump to solution

ZacEsa
Communicator
‎10-18-2017 08:13 PM

Nevermind, found out the issue. Splunk doesn't like it when my field name is threatInfo.indicators{}.indicatorName. Had to rename it to something else and then it worked. Thank you! Will mark your answer as correct now.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...