Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to remove values specified in a field from a list of values in another field?

andrewtrobec
Motivator
‎12-28-2017 09:39 AM

Hello,

Given two list fields add and remove, as well as a currentList list field, is it possible to create a new fieldupdatedListso that gets updated with add values and without remove values?

add,remove,currentList,updatedList
value1,value2,value2 value3 value4, value1 value3 value4
value5,value3 value4,value1 value3 value4,value1 value5

Any hints would be great!

Best regards,

Andrew

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-28-2017 01:05 PM

Here's a run-anywhere possibility:

| makeresults | eval add="value1", remove="value2", current="value2 value3 value4"
| append [| makeresults | eval add="value5", remove="value3 value4", current="value1 value3 value4"]
| makemv add 
| makemv remove 
| makemv current
| eval current_plus_add=mvappend(add, current)
| streamstats window=1 current=t values(current_plus_add) AS distinct_current_plus_add, values(remove) AS distinct_remove
| eval distinct_current_plus_add_plus_distinct_remove=mvappend(distinct_current_plus_add, distinct_remove)
| streamstats count AS serial
| stats count BY distinct_current_plus_add_plus_distinct_remove serial
| search count=1
| stats list(distinct_current_plus_add_plus_distinct_remove) AS after_add_remove BY serial

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎12-28-2017 01:05 PM

Here's a run-anywhere possibility:

| makeresults | eval add="value1", remove="value2", current="value2 value3 value4"
| append [| makeresults | eval add="value5", remove="value3 value4", current="value1 value3 value4"]
| makemv add 
| makemv remove 
| makemv current
| eval current_plus_add=mvappend(add, current)
| streamstats window=1 current=t values(current_plus_add) AS distinct_current_plus_add, values(remove) AS distinct_remove
| eval distinct_current_plus_add_plus_distinct_remove=mvappend(distinct_current_plus_add, distinct_remove)
| streamstats count AS serial
| stats count BY distinct_current_plus_add_plus_distinct_remove serial
| search count=1
| stats list(distinct_current_plus_add_plus_distinct_remove) AS after_add_remove BY serial
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎12-28-2017 03:14 PM

Beautiful! I hope that a future feature for multivalues will be mvremove or something like that so we can easily remove values instead of tricky workarounds!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-28-2017 06:46 PM

@andrewtrobec, you can create your own custom commands 🙂

https://docs.splunk.com/Documentation/Splunk/latest/Search/Customsearchcommandshape
http://dev.splunk.com/view/python-sdk/SP-CAAAEU2

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-28-2017 11:22 AM

Is field currentList multivalued field? Also, are add and remove multivalued field or single valued?

Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎12-28-2017 11:34 AM

currentList, add, and remove are all multivalue fields. I've figured the add part out:

| eval currentList=mvdedup(mvappend(currentList, add))

I just need to figure out the remove part.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-28-2017 12:09 PM

Unfortunately, there is no easy/direct way for removal from multivalued field. One method could be like this. 

your current search with fields add, remove and currentList
| eval currentList=mvdedup(mvappend(currentList, add))
| nomv remove 
| streamstats count as sno
| mvexpand currentList
| where len(replace(remove,currentList,"")=len(remove)
| stats values(*) as * by sno | fields - sno
0 Karma
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎12-28-2017 12:42 PM

I've cut and pasted the code into my search but it doesn't seem to work, it just kinda messes up the fields. I'll deconstruct the logic and play around with it. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...