Splunk Search

How do I search for events where a specific field value in a multivalue field is NOT the first value per event?

edrivera3
Builder

Hi
I extracted a multivalue field called error_number which contains all errors in each event. I would like to make a search for those events in which the first field value(in error_number) that appear in the event is not equal to "23424". The error_number="23424" could appear in the event, but it cannot be the first error_number in the event.

Tags (2)
1 Solution

lguinn2
Legend

This should work:

yoursearchhere 
| eval error_number0 = mvindex(error_number,0)
| where error_number0 != "23424"

View solution in original post

lguinn2
Legend

This should work:

yoursearchhere 
| eval error_number0 = mvindex(error_number,0)
| where error_number0 != "23424"

edrivera3
Builder

Thank you. It worked perfectly.

0 Karma

edrivera3
Builder

Hi
Is there a way that I could get only the field values that happened before the field value, error_number=23424 ? For example I have the following errors in one event: 1002, 3450, 23424, and 34332. All of the errors are in the multi-value field error_number.

I would like to save only the field value, error_number=3450.

0 Karma

lguinn2
Legend
 yoursearchhere 
 | eval index = mvfind(error_number,"23424")
 | where isnotnull(index) AND index!=0 
 | eval new_error_number = mvindex(error_number,index-1)

If you actually want to set error_number to the single value that preceded "23424", just change new_error_number to error_number

edrivera3
Builder

Thank you. It worked perfectly. I appreciate your help.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...