Splunk Search

How do you change one value in a multivalue field?

wmyersas
Builder

I have tried

| eval mvindex(mvfield,0)="my new value"

But it does not work.

Is it even possible to change/replace/delete a single value in a multivalue field?

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@wmyersas

You can add/modify/delete the multivalued field (list) by following simple following approach.

Here, you need to separate the existing multivalued field into 2 temporary fields from your desired index values ( array index), see head and tail fields in the below examples. Using these fields we are able to perform ADD/EDIT/DELETE action on the value of index level.

Example:

ADD:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,new_val = "1000",head=mvindex(list,0,(selected_index)-1),tail=mvindex(list,(selected_index),mvcount(list)-1),new_list=mvappend(head,new_val,tail)

UPDATE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,selected_val = "1000",head=mvindex(list,0,(selected_index-1)),tail=mvindex(list,(selected_index+1),mvcount(list)-1),new_list=mvappend(head,selected_val,tail)

DELETE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), remove_index=1,head=mvindex(list,0,(remove_index-1)),tail=mvindex(list,(remove_index+1),mvcount(list)-1),new_list=mvappend(head,tail)

Note: Kindly carefully check the difference between the last eval in all 3 searches.

Thanks

View solution in original post

jocobknight
Explorer

If you don't know the index of the field you're trying to manipulate, then you can use a unique delimiter to unpack it, edit the value with string manipulation functions, and then repack it:

| makeresults
| eval log=split("ne,se,sw,nw", ",")
| eval old=log
| eval dlm="__".random()."__"
| eval log=mvjoin(log, dlm)
| eval log=replace(log, "n", "North-")
| eval log=replace(log, "s", "South-")
| eval log=replace(log, "e", "East")
| eval log=replace(log, "w", "West")
| eval log=split(log, dlm)

 

0 Karma

jocobknight
Explorer

(To be fair, the unique delimiter isn't necessary if you know your data well enough to pick a static one that won't conflict; it would be more performant than calculating a random integer every event)

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@wmyersas

You can add/modify/delete the multivalued field (list) by following simple following approach.

Here, you need to separate the existing multivalued field into 2 temporary fields from your desired index values ( array index), see head and tail fields in the below examples. Using these fields we are able to perform ADD/EDIT/DELETE action on the value of index level.

Example:

ADD:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,new_val = "1000",head=mvindex(list,0,(selected_index)-1),tail=mvindex(list,(selected_index),mvcount(list)-1),new_list=mvappend(head,new_val,tail)

UPDATE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,selected_val = "1000",head=mvindex(list,0,(selected_index-1)),tail=mvindex(list,(selected_index+1),mvcount(list)-1),new_list=mvappend(head,selected_val,tail)

DELETE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), remove_index=1,head=mvindex(list,0,(remove_index-1)),tail=mvindex(list,(remove_index+1),mvcount(list)-1),new_list=mvappend(head,tail)

Note: Kindly carefully check the difference between the last eval in all 3 searches.

Thanks

wmyersas
Builder

Don't know that I'd call that "simple" - but it does seem to work 🙂

0 Karma

sandeepmakkena
Contributor
| eval fields=split(mvfield,"/") 
| eval my_new_value=mvindex(fields,0)

before you use mvindex try using split before that.

Hope this helps, Thanks!

0 Karma

wmyersas
Builder

How is using split() on a multivalue field going to help?

in my example, mvfield is already multivalue - and there may (or may not) be any common character (eg /) in each item of the multivalue field

I want to change one specific item in a multivalue field - not create a multivalue field from a single value one

0 Karma

somesoni2
Revered Legend

What type of values are stored in yoru multivalued field and what updates you want to make? Does it depends upon the index of value or can be identified by some regex?

0 Karma

wmyersas
Builder

For the moment, assume it's text values (though it could be anything)

And, depending on the search, I may want to change a specific value to something else, delete it, or push a new value into the mvfield not at the end (this last instance might be possible with mvappend (https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/MultivalueEvalFunctions#mvappend....), but I'm not sure

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...