Solved: How do you change one value in a multivalue field?

wmyersas · ‎10-17-2019

I have tried

| eval mvindex(mvfield,0)="my new value"

But it does not work.

Is it even possible to change/replace/delete a single value in a multivalue field?

kamlesh_vaghela · ‎10-17-2019

@wmyersas

You can add/modify/delete the multivalued field (list) by following simple following approach.

Here, you need to separate the existing multivalued field into 2 temporary fields from your desired index values ( array index), see head and tail fields in the below examples. Using these fields we are able to perform ADD/EDIT/DELETE action on the value of index level.

Example:

ADD:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,new_val = "1000",head=mvindex(list,0,(selected_index)-1),tail=mvindex(list,(selected_index),mvcount(list)-1),new_list=mvappend(head,new_val,tail)

UPDATE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,selected_val = "1000",head=mvindex(list,0,(selected_index-1)),tail=mvindex(list,(selected_index+1),mvcount(list)-1),new_list=mvappend(head,selected_val,tail)

DELETE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), remove_index=1,head=mvindex(list,0,(remove_index-1)),tail=mvindex(list,(remove_index+1),mvcount(list)-1),new_list=mvappend(head,tail)

Note: Kindly carefully check the difference between the last eval in all 3 searches.

Thanks

View solution in original post

jocobknight · ‎12-10-2020

If you don't know the index of the field you're trying to manipulate, then you can use a unique delimiter to unpack it, edit the value with string manipulation functions, and then repack it:

| makeresults
| eval log=split("ne,se,sw,nw", ",")
| eval old=log
| eval dlm="__".random()."__"
| eval log=mvjoin(log, dlm)
| eval log=replace(log, "n", "North-")
| eval log=replace(log, "s", "South-")
| eval log=replace(log, "e", "East")
| eval log=replace(log, "w", "West")
| eval log=split(log, dlm)

jocobknight · ‎12-10-2020

(To be fair, the unique delimiter isn't necessary if you know your data well enough to pick a static one that won't conflict; it would be more performant than calculating a random integer every event)

kamlesh_vaghela · ‎10-17-2019

@wmyersas

You can add/modify/delete the multivalued field (list) by following simple following approach.

Here, you need to separate the existing multivalued field into 2 temporary fields from your desired index values ( array index), see head and tail fields in the below examples. Using these fields we are able to perform ADD/EDIT/DELETE action on the value of index level.

Example:

ADD:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,new_val = "1000",head=mvindex(list,0,(selected_index)-1),tail=mvindex(list,(selected_index),mvcount(list)-1),new_list=mvappend(head,new_val,tail)

UPDATE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,selected_val = "1000",head=mvindex(list,0,(selected_index-1)),tail=mvindex(list,(selected_index+1),mvcount(list)-1),new_list=mvappend(head,selected_val,tail)

DELETE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), remove_index=1,head=mvindex(list,0,(remove_index-1)),tail=mvindex(list,(remove_index+1),mvcount(list)-1),new_list=mvappend(head,tail)

Note: Kindly carefully check the difference between the last eval in all 3 searches.

Thanks

wmyersas · ‎10-18-2019

Don't know that I'd call that "simple" - but it does seem to work 🙂

sandeepmakkena · ‎10-17-2019

| eval fields=split(mvfield,"/") 
| eval my_new_value=mvindex(fields,0)

before you use mvindex try using split before that.

Hope this helps, Thanks!

wmyersas · ‎10-17-2019

How is using split() on a multivalue field going to help?

in my example, mvfield is already multivalue - and there may (or may not) be any common character (eg /) in each item of the multivalue field

I want to change one specific item in a multivalue field - not create a multivalue field from a single value one

somesoni2 · ‎10-17-2019

What type of values are stored in yoru multivalued field and what updates you want to make? Does it depends upon the index of value or can be identified by some regex?

wmyersas · ‎10-17-2019

For the moment, assume it's text values (though it could be anything)

And, depending on the search, I may want to change a specific value to something else, delete it, or push a new value into the mvfield not at the end (this last instance might be possible with mvappend (https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/MultivalueEvalFunctions#mvappend....), but I'm not sure

How do you change one value in a multivalue field?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector