Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove field values from one multi-valued field which values are present in another multi-valued field

VatsalJagani
SplunkTrust
SplunkTrust
‎07-05-2022 04:44 AM

Remove field values from one multi-valued field which values are present in another multi-valued field

Looking for something like:

 

 

| eval dest=mvfilter(if(dest IN email_sender, null(), dest))

 

 

Here dest contains both sender and receiver of the email. hence I'm trying to exclude the sender from it.

(FYI, the sender is also a multi-valued field that's because I've used stats before it.)

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-05-2022 07:20 PM

Use mvmap. See this example

| makeresults count=1
| eval dest=split("User1,User2,User3,User4,User5",",")
| eval sender=split("User3,User7", ",")
| table sender dest
| eval dest=mvmap(dest,if(isnull(mvfind(sender,dest)),dest,null))

last line removes 'User3' from the dest field as it's one of the senders.

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-05-2022 07:25 PM

If I'm not mistaken, mvfilter() does just that.  You can use mvmap() to iterate over email_sender.

| eval dest=mvmap(email_sender, mvfilter(isnull(mvfind(dest, "^" . email_sender . "$"))))

 The mvfind() expression assumes that each email_sender would match the exact spelling if it appears in dest.

Tags (2)
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎07-05-2022 11:37 PM

Thanks @yuanliu. Logically I thought this should work but somehow mvfilter doesn't want to work. Anyways it worked with @bowesmana answer without mvfilter.

VatsalJagani_0-1657089389258.png

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-06-2022 07:55 PM

I think I know why mvfilter gives error.  mvfilter requires its argument to only involve one multivalue variable.  But because of mvfind, it now involves both dest and email_sender, even though email_sender is actually single-valued inside the mvmap iterator.  In fact, mvfilter will parse to error even if email_sender is genuinely single valued.

There might be some roundabout way to turn email_sender into a pattern substitution instead of a variable, but that is in itself too convoluted.

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎07-06-2022 09:56 PM

@yuanliu - Yeah, mvfilter can reference only one field, the rest should be only string/pattens.

The expression can reference only one field.

(From doc - https://docs.splunk.com/Documentation/SCS/current/SearchReference/MultivalueEvalFunctions)

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-05-2022 07:20 PM

Use mvmap. See this example

| makeresults count=1
| eval dest=split("User1,User2,User3,User4,User5",",")
| eval sender=split("User3,User7", ",")
| table sender dest
| eval dest=mvmap(dest,if(isnull(mvfind(sender,dest)),dest,null))

last line removes 'User3' from the dest field as it's one of the senders.

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...