Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter out results from splunk search from a set criteria.?

NayneshPatel
New Member
‎01-16-2020 04:06 AM

I have a raw the i extract and filter and table them according to Country
_raw

[{"Conutry":"America","State":"Nevada","Building":"Small"},
{"Conutry":"America","State":"Nevada","Building":"Medium"},
{"Conutry":"America","State":"Nevada","Building":"Large"},
{"Conutry":"Canada","State":"Montreal","Building":"Small"},
{"Conutry":"Canada","State":"Montreal","Building":"Medium"},
{"Conutry":"Canada","State":"Montreal","Building":"Large"}
{"Conutry":"Spain","State":"Barcelona","Building":"Small"},
{"Conutry":"Spain","State":"Barcelona","Building":"Medium"},
{"Conutry":"Spain","State":"Barcelona","Building":"Large"},
{"Conutry":"Spain","State":"Barcelona","Building":"Extra_Large"}]
etc....

My Search is:

index=xyz 
| sourcepath=xyz 
| rename {}.* as * 
| eval tmp=mvzip(mvzip(Conutry,State),Building) 
| mvexpand tmp | eval Conutry=mvindex(split(tmp,","),0),State=mvindex(split(tmp,","),1),Building=mvindex(split(tmp,","),2) 
| table Conutry, State, Building

My Results are grouped by country as follows

Country..../....State..../...Building
America......Nevada........Small
....................Nevada.........Medium
....................Nevada.........Large
Canada.......Montreal......Small
....................Montreal.......Medium
....................Montreal.......Large
Spain.........Barcelona......Small
...................Barcelona......Medium
...................Barcelona......Large
...................Barcelona......Extra_Large
etc....

How do i search or filter out the "Building" Column so that if it contains anything OTHER THAN "Small\Medium\Large", display the results. Note the field "Extra_Large" is NOT the same and can be any word

Expected Results should be

Country..../....State..../...Building
Spain.........Barcelona......Small
...................Barcelona......Medium
...................Barcelona......Large
...................Barcelona......Extra_Large
France.......Paris................Small
...................Paris................Medium
...................Paris................Large
...................Paris................Too_Small

Any help appreciated

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TISKAR
Builder
‎01-16-2020 05:34 AM

Hi @NayneshPatel :

Can you try by mvfilter, her an example that can filter Building:

| makeresults
| eval HRA="Small,Medium,Large,Extra_Large,Too_Small"
| eval HRA=split(HRA,",")
| mvexpand HRA
| stats values(HRA) as HRA
| eval x=mvfilter(NOT (like(HRA,"Medium")  OR like(HRA,"Small") OR  like(HRA,"Large")))

View solution in original post

Reply
Solved! Jump to solution
Solution

TISKAR
Builder
‎01-16-2020 05:34 AM

Hi @NayneshPatel :

Can you try by mvfilter, her an example that can filter Building:

| makeresults
| eval HRA="Small,Medium,Large,Extra_Large,Too_Small"
| eval HRA=split(HRA,",")
| mvexpand HRA
| stats values(HRA) as HRA
| eval x=mvfilter(NOT (like(HRA,"Medium")  OR like(HRA,"Small") OR  like(HRA,"Large")))
Reply
Solved! Jump to solution

NayneshPatel
New Member
‎01-16-2020 05:50 AM

Thanks Tikar

Added "where !=" to remove the blank rows

Appreciate your Help

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...