Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to remove values specified in a field from a list of values in another field?

andrewtrobec
Motivator
‎12-28-2017 09:39 AM

Hello,

Given two list fields add and remove, as well as a currentList list field, is it possible to create a new fieldupdatedListso that gets updated with add values and without remove values?

add,remove,currentList,updatedList
value1,value2,value2 value3 value4, value1 value3 value4
value5,value3 value4,value1 value3 value4,value1 value5

Any hints would be great!

Best regards,

Andrew

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-28-2017 01:05 PM

Here's a run-anywhere possibility:

| makeresults | eval add="value1", remove="value2", current="value2 value3 value4"
| append [| makeresults | eval add="value5", remove="value3 value4", current="value1 value3 value4"]
| makemv add 
| makemv remove 
| makemv current
| eval current_plus_add=mvappend(add, current)
| streamstats window=1 current=t values(current_plus_add) AS distinct_current_plus_add, values(remove) AS distinct_remove
| eval distinct_current_plus_add_plus_distinct_remove=mvappend(distinct_current_plus_add, distinct_remove)
| streamstats count AS serial
| stats count BY distinct_current_plus_add_plus_distinct_remove serial
| search count=1
| stats list(distinct_current_plus_add_plus_distinct_remove) AS after_add_remove BY serial

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-28-2017 01:05 PM

Here's a run-anywhere possibility:

| makeresults | eval add="value1", remove="value2", current="value2 value3 value4"
| append [| makeresults | eval add="value5", remove="value3 value4", current="value1 value3 value4"]
| makemv add 
| makemv remove 
| makemv current
| eval current_plus_add=mvappend(add, current)
| streamstats window=1 current=t values(current_plus_add) AS distinct_current_plus_add, values(remove) AS distinct_remove
| eval distinct_current_plus_add_plus_distinct_remove=mvappend(distinct_current_plus_add, distinct_remove)
| streamstats count AS serial
| stats count BY distinct_current_plus_add_plus_distinct_remove serial
| search count=1
| stats list(distinct_current_plus_add_plus_distinct_remove) AS after_add_remove BY serial
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎12-28-2017 03:14 PM

Beautiful! I hope that a future feature for multivalues will be mvremove or something like that so we can easily remove values instead of tricky workarounds!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-28-2017 06:46 PM

@andrewtrobec, you can create your own custom commands 🙂

https://docs.splunk.com/Documentation/Splunk/latest/Search/Customsearchcommandshape
http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-28-2017 11:22 AM

Is field currentList multivalued field? Also, are add and remove multivalued field or single valued?

Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎12-28-2017 11:34 AM

currentList, add, and remove are all multivalue fields. I've figured the add part out:

| eval currentList=mvdedup(mvappend(currentList, add))

I just need to figure out the remove part.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-28-2017 12:09 PM

Unfortunately, there is no easy/direct way for removal from multivalued field. One method could be like this. 

your current search with fields add, remove and currentList
| eval currentList=mvdedup(mvappend(currentList, add))
| nomv remove 
| streamstats count as sno
| mvexpand currentList
| where len(replace(remove,currentList,"")=len(remove)
| stats values(*) as * by sno | fields - sno
0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎12-28-2017 12:42 PM

I've cut and pasted the code into my search but it doesn't seem to work, it just kinda messes up the fields. I'll deconstruct the logic and play around with it. Thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...