Splunk Search

Trouble using mvfind on multivalue field

techusky
Explorer

I am trying to exclude results from my search if a certain string occurs in one of the hyperlinks in the results. The relevant part of the JSON that is sent to Splunk is listed below:

"hyperlinks":[{"url":"http://www.url1.com"},{"url":"http://www.url2.com"},{"url":"http://www.url3.com"},{"url":"http://www.url4.com"},{"url":"http://www.url5.com"}]

So let's say that I want to exclude any search results if "url2" is in the hyperlinks field. What I've been trying hasn't been working:

where NOT mvfind(hyperlinks, "url2")

Including that where clause in my search gives me the following error:

Error in 'where' command: Typechecking failed. 'XOR' only takes boolean arguments.
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

mvfind() returns a number or null: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
Try wrapping it in isnull() instead of using NOT.

View solution in original post

0 Karma

walkerhound
Path Finder

Have you tried using spath? There is an example here of using spath with JSON

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/spath

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

mvfind() returns a number or null: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
Try wrapping it in isnull() instead of using NOT.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

So this means you always get null - make sure your field is being extracted properly and is actually called hyperlinks.

0 Karma

techusky
Explorer

I know the field is called hyperlinks. However, when I usually access the URLs in events, let's say to print the events in a table, I do so with: | table hyperlinks{}.url

However, I can't use that bracket notation with the mvfind command, or I get an error: "Error in 'where' command: The expression is malformed. Expected )."

Which is what led me to try using just "hyperlinks" in the mvfind command.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If the field is called hyperlinks{}.url in table, then hyperlinks isn't going to magically work in eval. Curly braces (and the dot, actually) are special characters in eval expressions, so you will need to enclose the field name in single quotes: 'hyperlinks{}.url'

0 Karma

techusky
Explorer

D'oh! I didn't realize about needing to use the single quotes. That was all I was missing. Everything is working as expected now. Thanks for the help.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do you want to exclude events that contain the string or that don't contain the string?

If the former, use isnotnull().

0 Karma

techusky
Explorer

I want to exclude events that DO contain the string. Using isnull() shows every single event regardless. Using isnotnull() shows 0 events, so neither are working correctly.

0 Karma

techusky
Explorer

Doesn't look like that did the trick. While I'm no longer getting an error, the results aren't actually being excluded. I just tried:
where isnull(mvfind(hyperlinks, "url2"))

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...