Splunk Search

Why cant i supply a field as value for mvfilter?

christoffertoft
Communicator

I'm trying to exclude a value from a multivalue list, but it only works when I input the string as a value, not as a field.

I understand that it takes a regex as part of its expression, so is there any way i can accommodate that?

Example:
`
|makeresults
| eval mymvfield ="a b c"
| makemv mymvfield
| eval exclude_me = "b"
| eval excludes = mvfilter(NOT in(mymvfield, exclude_me))

`

Doesnt work.


| eval mymvfield ="a b c"
| makemv mymvfield
| eval excludes = mvfilter(NOT in(mymvfield, "b"))

works however. Ive tried $exclude_me$, "$exclude_me$" etc without luck..

I need to be able to exclude a value per row, based on the current value of exclude_me .. There has to be a way for this?

0 Karma

vgtk4431
Path Finder

More than 1 year late, but a solution without any subsearch is :

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval exclude_me = "b"
| eval excludes = mvmap(mymvfield,if(!match(mymvfield,exclude_me),mymvfield,0))
|eval excludes = mvfilter(excludes!="0")

`mvmap` will apply a condition on all the field of the multivalue fields (in this case replace the excluded fields with "0"
then we filter on everything that is not "0"

Tags (3)

elewis1
Explorer

Great solution. using null or "" instead of 0 seems to exclude the need for the last mvfilter.

0 Karma

tmontney
Builder
0 Karma

jplumsdaine22
Influencer

you could use a subsearch like:

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval excludes = mvfilter(NOT in(mymvfield, 
    [| makeresults 
    | eval search = "\"b\"" 
    | return $search]))

| eval search = "\"b\"" would be replaced with your actual search, then literally rename the field you want to search
don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there
Note the value of search needs to be enclosed in " ", so you may need to do an eval before calling return to add the double quotes

richgalloway
SplunkTrust
SplunkTrust

Have you tried 'exclude_me'?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

christoffertoft
Communicator

Hi rich, thanks for reply. I only get Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. when i do | eval excludes = mvfilter( NOT in(mymvfield, 'exclude_me') )

0 Karma

christoffertoft
Communicator

If i do the logic | where NOT 'exclude_me' in (mymvfield) the logic works. as soon as i put the exact same string as the argument to the boolean logic in mvfilter it breaks.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!