Hello,
I am looking at the results of a table lookup, where there many values for a particular field are returned. This is exactly what I want, but I would like to further evaluate one of the fields and only show the tabled results that match a string.
When I attempt to pipe my search into another search, the all of fields still remain, even if I try to match against field_name=one_of_many_values. Is there a away to remove these fields from the search results / MVF?
Thank you,
Jim
Yes, you can use the "mvfilter" function of the "eval" command. For instance:
... | eval field_name = mvfilter(field_name LIKE "abc-%")
This will retain all values that start with "abc-."
In general, you can put any predicate in mvfilter, and eval will iterate through all the values of the implied multi-valued field and keep only those that evaluate to "true".
Yes, you can use the "mvfilter" function of the "eval" command. For instance:
... | eval field_name = mvfilter(field_name LIKE "abc-%")
This will retain all values that start with "abc-."
In general, you can put any predicate in mvfilter, and eval will iterate through all the values of the implied multi-valued field and keep only those that evaluate to "true".
This only works if the value for which you want to filter is constant. The mvfilter command won't accept field names as part of the boolean expression other than the multi-value field being filtered.
OK, maybe not perfectly - and I am changing up my requirements a bit. I have a table of report_name, and report_type and they are both MV fields. I only want to print out the report_name, where the report_type=chart.
When using mvfilter, I cannot filter out the report_type that we removed with the filter, unless I display their fields alone. Unfortunately, the field that I want a unique list of, I also want to hide in the tabled results.
This works out perfectly!