Splunk Search

Why cant i supply a field as value for mvfilter?

christoffertoft
Communicator

I'm trying to exclude a value from a multivalue list, but it only works when I input the string as a value, not as a field.

I understand that it takes a regex as part of its expression, so is there any way i can accommodate that?

Example:
`
|makeresults
| eval mymvfield ="a b c"
| makemv mymvfield
| eval exclude_me = "b"
| eval excludes = mvfilter(NOT in(mymvfield, exclude_me))

`

Doesnt work.


| eval mymvfield ="a b c"
| makemv mymvfield
| eval excludes = mvfilter(NOT in(mymvfield, "b"))

works however. Ive tried $exclude_me$, "$exclude_me$" etc without luck..

I need to be able to exclude a value per row, based on the current value of exclude_me .. There has to be a way for this?

0 Karma

vgtk4431
Path Finder

More than 1 year late, but a solution without any subsearch is :

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval exclude_me = "b"
| eval excludes = mvmap(mymvfield,if(!match(mymvfield,exclude_me),mymvfield,0))
|eval excludes = mvfilter(excludes!="0")

`mvmap` will apply a condition on all the field of the multivalue fields (in this case replace the excluded fields with "0"
then we filter on everything that is not "0"

Tags (3)

elewis1
Path Finder

Great solution. using null or "" instead of 0 seems to exclude the need for the last mvfilter.

tmontney
Builder
0 Karma

jplumsdaine22
Influencer

you could use a subsearch like:

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval excludes = mvfilter(NOT in(mymvfield, 
    [| makeresults 
    | eval search = "\"b\"" 
    | return $search]))

| eval search = "\"b\"" would be replaced with your actual search, then literally rename the field you want to search
don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there
Note the value of search needs to be enclosed in " ", so you may need to do an eval before calling return to add the double quotes

richgalloway
SplunkTrust
SplunkTrust

Have you tried 'exclude_me'?

---
If this reply helps you, Karma would be appreciated.
0 Karma

christoffertoft
Communicator

Hi rich, thanks for reply. I only get Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. when i do | eval excludes = mvfilter( NOT in(mymvfield, 'exclude_me') )

0 Karma

christoffertoft
Communicator

If i do the logic | where NOT 'exclude_me' in (mymvfield) the logic works. as soon as i put the exact same string as the argument to the boolean logic in mvfilter it breaks.

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...