Splunk Search

Why cant i supply a field as value for mvfilter?

christoffertoft
Communicator

I'm trying to exclude a value from a multivalue list, but it only works when I input the string as a value, not as a field.

I understand that it takes a regex as part of its expression, so is there any way i can accommodate that?

Example:
`
|makeresults
| eval mymvfield ="a b c"
| makemv mymvfield
| eval exclude_me = "b"
| eval excludes = mvfilter(NOT in(mymvfield, exclude_me))

`

Doesnt work.


| eval mymvfield ="a b c"
| makemv mymvfield
| eval excludes = mvfilter(NOT in(mymvfield, "b"))

works however. Ive tried $exclude_me$, "$exclude_me$" etc without luck..

I need to be able to exclude a value per row, based on the current value of exclude_me .. There has to be a way for this?

0 Karma

vgtk4431
Path Finder

More than 1 year late, but a solution without any subsearch is :

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval exclude_me = "b"
| eval excludes = mvmap(mymvfield,if(!match(mymvfield,exclude_me),mymvfield,0))
|eval excludes = mvfilter(excludes!="0")

`mvmap` will apply a condition on all the field of the multivalue fields (in this case replace the excluded fields with "0"
then we filter on everything that is not "0"

Tags (3)

elewis1
Explorer

Great solution. using null or "" instead of 0 seems to exclude the need for the last mvfilter.

tmontney
Builder
0 Karma

jplumsdaine22
Influencer

you could use a subsearch like:

| makeresults 
| eval mymvfield ="a b c" 
| makemv mymvfield 
| eval excludes = mvfilter(NOT in(mymvfield, 
    [| makeresults 
    | eval search = "\"b\"" 
    | return $search]))

| eval search = "\"b\"" would be replaced with your actual search, then literally rename the field you want to search
don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there
Note the value of search needs to be enclosed in " ", so you may need to do an eval before calling return to add the double quotes

richgalloway
SplunkTrust
SplunkTrust

Have you tried 'exclude_me'?

---
If this reply helps you, Karma would be appreciated.
0 Karma

christoffertoft
Communicator

Hi rich, thanks for reply. I only get Error in 'eval' command: The arguments to the 'mvfilter' function are invalid. when i do | eval excludes = mvfilter( NOT in(mymvfield, 'exclude_me') )

0 Karma

christoffertoft
Communicator

If i do the logic | where NOT 'exclude_me' in (mymvfield) the logic works. as soon as i put the exact same string as the argument to the boolean logic in mvfilter it breaks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...