Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove field values from one multi-valued field which values are present in another multi-valued field

VatsalJagani
SplunkTrust
SplunkTrust
‎07-05-2022 04:44 AM

Remove field values from one multi-valued field which values are present in another multi-valued field

Looking for something like:

 

 

| eval dest=mvfilter(if(dest IN email_sender, null(), dest))

 

 

Here dest contains both sender and receiver of the email. hence I'm trying to exclude the sender from it.

(FYI, the sender is also a multi-valued field that's because I've used stats before it.)

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-05-2022 07:20 PM

Use mvmap. See this example

| makeresults count=1
| eval dest=split("User1,User2,User3,User4,User5",",")
| eval sender=split("User3,User7", ",")
| table sender dest
| eval dest=mvmap(dest,if(isnull(mvfind(sender,dest)),dest,null))

last line removes 'User3' from the dest field as it's one of the senders.

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-05-2022 07:25 PM

If I'm not mistaken, mvfilter() does just that.  You can use mvmap() to iterate over email_sender.

| eval dest=mvmap(email_sender, mvfilter(isnull(mvfind(dest, "^" . email_sender . "$"))))

 The mvfind() expression assumes that each email_sender would match the exact spelling if it appears in dest.

Tags (2)
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎07-05-2022 11:37 PM

Thanks @yuanliu. Logically I thought this should work but somehow mvfilter doesn't want to work. Anyways it worked with @bowesmana answer without mvfilter.

VatsalJagani_0-1657089389258.png

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-06-2022 07:55 PM

I think I know why mvfilter gives error.  mvfilter requires its argument to only involve one multivalue variable.  But because of mvfind, it now involves both dest and email_sender, even though email_sender is actually single-valued inside the mvmap iterator.  In fact, mvfilter will parse to error even if email_sender is genuinely single valued.

There might be some roundabout way to turn email_sender into a pattern substitution instead of a variable, but that is in itself too convoluted.

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎07-06-2022 09:56 PM

@yuanliu - Yeah, mvfilter can reference only one field, the rest should be only string/pattens.

The expression can reference only one field.

(From doc - https://docs.splunk.com/Documentation/SCS/current/SearchReference/MultivalueEvalFunctions)

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-05-2022 07:20 PM

Use mvmap. See this example

| makeresults count=1
| eval dest=split("User1,User2,User3,User4,User5",",")
| eval sender=split("User3,User7", ",")
| table sender dest
| eval dest=mvmap(dest,if(isnull(mvfind(sender,dest)),dest,null))

last line removes 'User3' from the dest field as it's one of the senders.

Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...