Splunk Search

Return index position of {someValue} in multi-value field


I'm using transaction to combine events & generate multi-value fields. What I want to do is keep the values of a mv field after the first occurance of some value.

My first guess was to use a command that returned the index position of the value within the mv field, then use mvindex to get what I wanted. Only problem, I don't see a command that let's me search of mvfield and get the location of "value".

Am I missing something? If not, anyone have a workaround?

Just to clarify, if I have the following mv field called Names: john bob fred don

I want to get rid of all values before the 1st occurance of bob. End result would be: bob fred don

Thanks in advance!

Tags (1)
0 Karma

New Member

Think that rawKeys have "aaa,bbb,ccc".

the solution: ... | eval keys=split(rawKeys,",") | eval countKeys=mvcount(keys) | mvexpand keys | map search=" search | head 1 | eval key=\"$keys$\" | eval rawKeys=\"$rawKeys$,\" | eval countKeys=\"$countKeys$\" | rex field=rawKeys \"$keys$(?.*)\" | eval positionKey=(countKeys-(mvcount(split(endBlock,\",\"))-1) ) " ...

in the end result "aaa" positionKey = 0, "bbb" positionKey = 1 and "ccc" positionKey = 2.

0 Karma

Path Finder

I don't know which version it was introduced in, but mvrange and mvzip can be used.

| eval keys = split(rawKeys, ",")
| eval index_and_key = mvzip(mvrange(0, mvcount(keys)), keys, ",")


0 Karma


One workaround:

host=xxx | search Names="bob" | eval DelimitedNames=mvjoin(Names,";") | rex mode=sed field=DelimitedNames "s/^(.*?;)*bob/bob/" | eval InterestingNames=split(DelimitedNames,";")

Flatten the multi-value field into a text string, then use rex to strip out everything before "bob", and then expand the result back into a multi-value field.

Remove search Names="bob" if you want to preserve all values when bob is not seen at all.