Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter a multivalue field using a subsearch?

chrids
Explorer
‎04-01-2022 11:20 AM

I found a close answer to what I'm looking for here:

https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/45...

The example, excludes 1 example, add \"a\" for more, which works:

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval excludes = mvfilter(NOT in(mymvfield, 
    [| makeresults 
    | eval search = "\"b\"" 
    | return $search]))

What I'm looking for, use return which seemingly translates to (b) OR (a) ... :

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval excludes = mvfilter(NOT in(mymvfield, 
    [| search something
    | return 3 $some_field]))

I get weird parsing errors which I thought maybe could be solved by using "format" but I'm at a loss.

I reckon you could probably solve this by doing a subsearch and filtering prior to making the multivalue field, I'm however curious if you can make this query work.

Please let me know if anything is unclear.

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-02-2022 01:38 AM

Try something like this

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval excludes = mvfilter(NOT  
    [| makeresults 
    | eval mymvfield = "b" 
    | append
        [| makeresults
        | eval mymvfield = "c"]
    | format "" "" "" "" "AND" ""])
Reply

chrids
Explorer
‎04-03-2022 09:41 PM

It's almost there, I can't manage to replace the two "| makeresults/| append" with a "| search" however in the final query.

This:

 

| makeresults 
| eval mymvfield = "b" 
| append
   [| makeresults
    | eval mymvfield = "c"]
    | format "" "" "" "" "AND" ""

 

 evaluates to:

 

mymvfield="b"  AND  mymvfield="c"

 

 
My reduced use-case:

 

| makeresults
| append [
   | search foo
   | fields bar
   | head 2]
| format "" "" "" "" "AND" ""

 

evaluates to:

 

bar="result1"  AND  bar="result2"

 

 

Wrapping that into mvfilter(NOT [ .. ]) gives me: Error in 'eval' command: The expression is malformed. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-04-2022 12:30 AM

Please share your actual search to determine what might be amiss

Reply

chrids
Explorer
‎04-04-2022 03:14 AM

Got it working! Thanks so much!

I had a syntax error and changed it to a final:

| eval bar_filtered = mvfilter(NOT 
  [ 
    | makeresults
    | append 
      [
        | search foo
        | rename foobar as bar
        | fields bar
      ]
    | format "(" "" "" "" "OR" ")"
  ]
)

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...