Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Pull specific value from MV field?

morgantay96
Path Finder
‎06-20-2022 03:34 PM

Hi All,

I have a mv field with a bunch of different values. I want to learn how to pull specific values based on string criteria. For examle the multivalue field may contain

"App: A;  sn_ubs;  Owner_Bob; Criticality_3;"

How would I create an eval to pull just the "sn_ubs" into a new field name SN?

I am unsure of what manipulation does this. I have tried mvfilter and that works but doesn't break out the value.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

morgantay96
Path Finder
‎06-20-2022 03:42 PM

If anyone has this issue I figured it out.


Just ensure your field is multivalue then use mvfilter

| eval [new_field] = mvfilter(match([old mv field], "[string to match]"))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

morgantay96
Path Finder
‎06-20-2022 03:42 PM

If anyone has this issue I figured it out.


Just ensure your field is multivalue then use mvfilter

| eval [new_field] = mvfilter(match([old mv field], "[string to match]"))

0 Karma
Reply
Solved! Jump to solution

morgantay96
Path Finder
‎06-20-2022 03:36 PM

Also I would want to set a default value if a record does not contain that "sn_ubs" entry

0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...