Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why cant i supply a field as value for mvfilter?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why cant i supply a field as value for mvfilter?
I'm trying to exclude a value from a multivalue list, but it only works when I input the string as a value, not as a field.
I understand that it takes a regex as part of its expression, so is there any way i can accommodate that?
Example:
`
|makeresults
| eval mymvfield ="a b c"
| makemv mymvfield
| eval exclude_me = "b"
| eval excludes = mvfilter(NOT in(mymvfield, exclude_me))
`
Doesnt work.
| eval mymvfield ="a b c"
| makemv mymvfield
| eval excludes = mvfilter(NOT in(mymvfield, "b"))
works however. Ive tried $exclude_me$, "$exclude_me$" etc without luck..
I need to be able to exclude a value per row, based on the current value of exclude_me .. There has to be a way for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
More than 1 year late, but a solution without any subsearch is :
| makeresults
| eval mymvfield ="a b c"
| makemv mymvfield
| eval exclude_me = "b"
| eval excludes = mvmap(mymvfield,if(!match(mymvfield,exclude_me),mymvfield,0))
|eval excludes = mvfilter(excludes!="0")`mvmap` will apply a condition on all the field of the multivalue fields (in this case replace the excluded fields with "0"
then we filter on everything that is not "0"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great solution. using null or "" instead of 0 seems to exclude the need for the last mvfilter.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mvfilter(!MyField LIKE "%not_this_text%")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could use a subsearch like:
| makeresults
| eval mymvfield ="a b c"
| makemv mymvfield
| eval excludes = mvfilter(NOT in(mymvfield,
[| makeresults
| eval search = "\"b\""
| return $search]))
| eval search = "\"b\"" would be replaced with your actual search, then literally rename the field you want to search
don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there
Note the value of search needs to be enclosed in " ", so you may need to do an eval before calling return to add the double quotes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried 'exclude_me'?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rich, thanks for reply. I only get Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. when i do | eval excludes = mvfilter( NOT in(mymvfield, 'exclude_me') )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i do the logic | where NOT 'exclude_me' in (mymvfield) the logic works. as soon as i put the exact same string as the argument to the boolean logic in mvfilter it breaks.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
