Solved: Re: Remove multiple values from a multi-value fiel...

landen99 · ‎01-22-2016

I would like to remove multiple values from a multi-value field.

Example:

field_multivalue = pink,fluffy,unicorns

Remove pink and fluffy so that:

field_multivalue = unicorns

I am thinking maybe:

| stats values(field1) AS field_multivalue by field2 | mvfilter

OR

| stats values(field1) AS field_multivalue by field2  | mvexpand field_multivalue | search field_multivalue!="pink" field_multivalue!="fluffy" | mvcombine field_multivalue

How would you recommend doing this? The list of values to filter out is over a dozen.

somesoni2 · ‎01-22-2016

I would use mvfilter, specially in the cases where patterns to be filtered is small and entities in mv field is high. Like this

| gentimes start=-1 | eval field1="pink,fluffy,unicorns" | table field1 | makemv field1 delim="," | eval field1_filtered=mvfilter(NOT match(field1,"pink") AND NOT match(field1,"fluffy"))

View solution in original post

somesoni2 · ‎01-22-2016

I would use mvfilter, specially in the cases where patterns to be filtered is small and entities in mv field is high. Like this

| gentimes start=-1 | eval field1="pink,fluffy,unicorns" | table field1 | makemv field1 delim="," | eval field1_filtered=mvfilter(NOT match(field1,"pink") AND NOT match(field1,"fluffy"))

Remove multiple values from a multi-value field

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Remove multiple values from a multi-value field

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES