Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why cant i supply a field as value for mvfilter?

christoffertoft
Communicator
‎06-27-2019 04:47 AM

I'm trying to exclude a value from a multivalue list, but it only works when I input the string as a value, not as a field.

I understand that it takes a regex as part of its expression, so is there any way i can accommodate that?

Example:
`
|makeresults
| eval mymvfield ="a b c"
| makemv mymvfield
| eval exclude_me = "b"
| eval excludes = mvfilter(NOT in(mymvfield, exclude_me))

`

Doesnt work.


| eval mymvfield ="a b c"
| makemv mymvfield
| eval excludes = mvfilter(NOT in(mymvfield, "b"))

works however. Ive tried $exclude_me$, "$exclude_me$" etc without luck..

I need to be able to exclude a value per row, based on the current value of exclude_me .. There has to be a way for this?

0 Karma
Reply

vgtk4431
Path Finder
‎12-04-2020 07:53 AM

More than 1 year late, but a solution without any subsearch is :

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval exclude_me = "b"
| eval excludes = mvmap(mymvfield,if(!match(mymvfield,exclude_me),mymvfield,0))
|eval excludes = mvfilter(excludes!="0")

`mvmap` will apply a condition on all the field of the multivalue fields (in this case replace the excluded fields with "0"
then we filter on everything that is not "0"

Tags (3)
Reply

elewis1
Path Finder
‎11-09-2021 07:27 AM

Great solution. using null or "" instead of 0 seems to exclude the need for the last mvfilter.

Reply

tmontney
Builder
‎07-27-2020 02:29 PM

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/MultivalueEvalFunctions#mvfilter....

mvfilter(!MyField LIKE "%not_this_text%")
0 Karma
Reply

jplumsdaine22
Influencer
‎06-27-2019 05:56 AM

you could use a subsearch like:

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval excludes = mvfilter(NOT in(mymvfield, 
    [| makeresults 
    | eval search = "\"b\"" 
    | return $search]))

| eval search = "\"b\"" would be replaced with your actual search, then literally rename the field you want to search
don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there
Note the value of search needs to be enclosed in " ", so you may need to do an eval before calling return to add the double quotes

Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2019 05:22 AM

Have you tried 'exclude_me'?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

christoffertoft
Communicator
‎06-27-2019 05:32 AM

Hi rich, thanks for reply. I only get Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. when i do | eval excludes = mvfilter( NOT in(mymvfield, 'exclude_me') )

0 Karma
Reply

christoffertoft
Communicator
‎06-27-2019 05:34 AM

If i do the logic | where NOT 'exclude_me' in (mymvfield) the logic works. as soon as i put the exact same string as the argument to the boolean logic in mvfilter it breaks.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...