How to use mvfilter Function to search two field v...

Mr_Adate · ‎06-12-2023

Hello All,

I wanted to search "field_A" data value from "field_B" data values into "field_C" but only if field_A values match with field_B

Data example

Sr. field_A field_B

1. AD_Name_A AD_Name_C; AD_Name_Z; AD_Name_A;AD_Name_B

2. AD_Name_K AD_Name_K; AD_Name_C; AD_Name_D

3. AD_Name_M AD_Name_J;AD_Name_K

4. AD_Name_Z AD_Name_C;AD_Name_Z;AD_Name_L;AD_Name_O;AD_Name_D

I am trying to use below mentioned command but not working.

| makemv delim=";" field_B

| eval field_C =mvfilter(if('field_A'='field_B',"Match",'field_A'))

I am also tried below command but no luck.

| eval field_C=mvfilter(match('field_A'='field_B')

Please help me to on it.

Mr_Adate · ‎06-12-2023

@ITWhisperer Thank you. Your command is not giving me output if field_A have more than 1 values like

sr. field_A field_B
1. AD_Name_C AD_Name_C

AD_Name_B AD_Name_B

AD_Name_A AD_Name_A

2. AD_Name_K AD_Name_K

AD_Name_L AD_Name_L

please help

ITWhisperer · ‎06-12-2023

| foreach mode=multivalue field_A
    [| eval field_C=if(isnotnull(mvfind(field_B,<<ITEM>>)),if(isnull(field_C),<<ITEM>>,mvappend(field_C,<<ITEM>>)),field_C)]

ITWhisperer · ‎06-12-2023

| eval field_C =if(isnotnull(mvfind(field_B,field_A)),field_A,null())

How to use mvfilter Function to search two field values?

eval

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?

How to use mvfilter Function to search two field values?

eval

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025