Splunk Search

how to exclude some values from results returned by makemv

nickrallysplunk
New Member

My data has a field FooBar, and

| stats count by FooBar

returns:

FooBar        count
-------------------
foo,bar,baz          
foo,baz          
bar,x_waldo 

To split FooBar into individual values I use makemv:

| makemv delim="," FooBar | stats count by  FooBar

and it now returns this table as expected:

FooBar        count
-------------------
foo              
bar              
baz
x_waldo

So far so good.

How can I exclude any values that start with "x_", as in "x_waldo" ?
I tried a simpler task to remove "x_waldo" (instead of excluding all values that start with "x_" pattern) using mvfilter but it did not work. Thank you!

Tags (1)
0 Karma
1 Solution

mhpark
Path Finder

Can't you just add a

| search FooBar!=x_*

at the end of the query?

View solution in original post

0 Karma

mhpark
Path Finder

Can't you just add a

| search FooBar!=x_*

at the end of the query?

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.