Solved: How to Pull specific value from MV field?

morgantay96 · ‎06-20-2022

Hi All,

I have a mv field with a bunch of different values. I want to learn how to pull specific values based on string criteria. For examle the multivalue field may contain

"App: A; sn_ubs; Owner_Bob; Criticality_3;"

How would I create an eval to pull just the "sn_ubs" into a new field name SN?

I am unsure of what manipulation does this. I have tried mvfilter and that works but doesn't break out the value.

morgantay96 · ‎06-20-2022

If anyone has this issue I figured it out.

Just ensure your field is multivalue then use mvfilter

| eval [new_field] = mvfilter(match([old mv field], "[string to match]"))

View solution in original post

morgantay96 · ‎06-20-2022

If anyone has this issue I figured it out.

Just ensure your field is multivalue then use mvfilter

| eval [new_field] = mvfilter(match([old mv field], "[string to match]"))

morgantay96 · ‎06-20-2022

Also I would want to set a default value if a record does not contain that "sn_ubs" entry

How to Pull specific value from MV field?

eval

fields

regex

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation