Solved: Re: Trouble using mvfind on multivalue field

techusky · ‎10-12-2015

I am trying to exclude results from my search if a certain string occurs in one of the hyperlinks in the results. The relevant part of the JSON that is sent to Splunk is listed below:

"hyperlinks":[{"url":"http://www.url1.com"},{"url":"http://www.url2.com"},{"url":"http://www.url3.com"},{"url":"http://www.url4.com"},{"url":"http://www.url5.com"}]

So let's say that I want to exclude any search results if "url2" is in the hyperlinks field. What I've been trying hasn't been working:

where NOT mvfind(hyperlinks, "url2")

Including that where clause in my search gives me the following error:

Error in 'where' command: Typechecking failed. 'XOR' only takes boolean arguments.

martin_mueller · ‎10-12-2015

mvfind() returns a number or null: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
Try wrapping it in isnull() instead of using NOT.

View solution in original post

walkerhound · ‎10-12-2015

Have you tried using spath? There is an example here of using spath with JSON

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/spath

martin_mueller · ‎10-12-2015

mvfind() returns a number or null: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
Try wrapping it in isnull() instead of using NOT.

martin_mueller · ‎10-12-2015

So this means you always get null - make sure your field is being extracted properly and is actually called hyperlinks.

techusky · ‎10-12-2015

I know the field is called hyperlinks. However, when I usually access the URLs in events, let's say to print the events in a table, I do so with: | table hyperlinks{}.url

However, I can't use that bracket notation with the mvfind command, or I get an error: "Error in 'where' command: The expression is malformed. Expected )."

Which is what led me to try using just "hyperlinks" in the mvfind command.

martin_mueller · ‎10-12-2015

If the field is called hyperlinks{}.url in table, then hyperlinks isn't going to magically work in eval. Curly braces (and the dot, actually) are special characters in eval expressions, so you will need to enclose the field name in single quotes: 'hyperlinks{}.url'

techusky · ‎10-13-2015

D'oh! I didn't realize about needing to use the single quotes. That was all I was missing. Everything is working as expected now. Thanks for the help.

martin_mueller · ‎10-12-2015

Do you want to exclude events that contain the string or that don't contain the string?

If the former, use isnotnull().

techusky · ‎10-12-2015

I want to exclude events that DO contain the string. Using isnull() shows every single event regardless. Using isnotnull() shows 0 events, so neither are working correctly.

techusky · ‎10-12-2015

Doesn't look like that did the trick. While I'm no longer getting an error, the results aren't actually being excluded. I just tried:
where isnull(mvfind(hyperlinks, "url2"))

Trouble using mvfind on multivalue field

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes