Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to only keep a certain type of value for a multivalue field?

dmacgillivray
Communicator
‎09-06-2016 02:54 PM

Hello Splunkers,

I have a question about data I am trying to draw from Splunk. If you look at the fields, I am am trying to do something like this.

Table

report_name, report_date, time
AReport 2016-07-08 1:00PM
BReport junkdatakdls;f 2:00PM
CReport morejunkkfkdsd 3:00PM

From the above, how can I ask Splunk to keep only the report_date multivalue field value (Type of YYYY-MM-DD)
I will like to leave the junk data out of that field, but do not want to restrict the count of rows either. So I would like to make any field that is not in a date format of YYYY-MM-DD just blank.

Thanks,
Daniel MacGillivray

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-06-2016 03:39 PM

In your search, you can filter out events that do not meet a specific pattern like this

... | regex report_date="\d{4}-\d\d-\d\d"

OR, if report_date is a multivalue field, you can use mvfilter, like this

... | eval report_date=mvfilter(match(report_date, "\d{4}-\d\d-\d\d"))

http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/CommonEvalFunctions#Multivalue_fun...

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-06-2016 03:39 PM

In your search, you can filter out events that do not meet a specific pattern like this

... | regex report_date="\d{4}-\d\d-\d\d"

OR, if report_date is a multivalue field, you can use mvfilter, like this

... | eval report_date=mvfilter(match(report_date, "\d{4}-\d\d-\d\d"))

http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/CommonEvalFunctions#Multivalue_fun...

Reply
Solved! Jump to solution

dmacgillivray
Communicator
‎09-06-2016 06:02 PM

Hi Sundareshr,

Thank You ! They both worked equally well. To add to these, I ended up finding some more records in this field than I wanted to see, so what I just added beginning and eol characters for good measure.

| regex report_date="^\d{4}-\d\d-\d\d$"
| eval report_date=mvfilter(match(Report_Date, "^\d{4}-\d\d-\d\d$"))
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...