I am trying to exclude results from my search if a certain string occurs in one of the hyperlinks in the results. The relevant part of the JSON that is sent to Splunk is listed below:
"hyperlinks":[{"url":"http://www.url1.com"},{"url":"http://www.url2.com"},{"url":"http://www.url3.com"},{"url":"http://www.url4.com"},{"url":"http://www.url5.com"}]
So let's say that I want to exclude any search results if "url2" is in the hyperlinks field. What I've been trying hasn't been working:
where NOT mvfind(hyperlinks, "url2")
Including that where clause in my search gives me the following error:
Error in 'where' command: Typechecking failed. 'XOR' only takes boolean arguments.
mvfind()
returns a number or null: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
Try wrapping it in isnull()
instead of using NOT
.
Have you tried using spath? There is an example here of using spath with JSON
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/spath
mvfind()
returns a number or null: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
Try wrapping it in isnull()
instead of using NOT
.
So this means you always get null - make sure your field is being extracted properly and is actually called hyperlinks
.
I know the field is called hyperlinks. However, when I usually access the URLs in events, let's say to print the events in a table, I do so with: | table hyperlinks{}.url
However, I can't use that bracket notation with the mvfind command, or I get an error: "Error in 'where' command: The expression is malformed. Expected )."
Which is what led me to try using just "hyperlinks" in the mvfind command.
If the field is called hyperlinks{}.url
in table
, then hyperlinks
isn't going to magically work in eval
. Curly braces (and the dot, actually) are special characters in eval expressions, so you will need to enclose the field name in single quotes: 'hyperlinks{}.url'
D'oh! I didn't realize about needing to use the single quotes. That was all I was missing. Everything is working as expected now. Thanks for the help.
Do you want to exclude events that contain the string or that don't contain the string?
If the former, use isnotnull()
.
I want to exclude events that DO contain the string. Using isnull() shows every single event regardless. Using isnotnull() shows 0 events, so neither are working correctly.
Doesn't look like that did the trick. While I'm no longer getting an error, the results aren't actually being excluded. I just tried:
where isnull(mvfind(hyperlinks, "url2"))