Solved: How to Pull specific value from MV field?

morgantay96 · ‎06-20-2022

Hi All,

I have a mv field with a bunch of different values. I want to learn how to pull specific values based on string criteria. For examle the multivalue field may contain

"App: A; sn_ubs; Owner_Bob; Criticality_3;"

How would I create an eval to pull just the "sn_ubs" into a new field name SN?

I am unsure of what manipulation does this. I have tried mvfilter and that works but doesn't break out the value.

morgantay96 · ‎06-20-2022

If anyone has this issue I figured it out.

Just ensure your field is multivalue then use mvfilter

| eval [new_field] = mvfilter(match([old mv field], "[string to match]"))

View solution in original post

morgantay96 · ‎06-20-2022

If anyone has this issue I figured it out.

Just ensure your field is multivalue then use mvfilter

| eval [new_field] = mvfilter(match([old mv field], "[string to match]"))

morgantay96 · ‎06-20-2022

Also I would want to set a default value if a record does not contain that "sn_ubs" entry

How to Pull specific value from MV field?

eval

fields

regex

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?