Splunk Search

how to exclude some values from results returned by makemv

nickrallysplunk
New Member

My data has a field FooBar, and

| stats count by FooBar

returns:

FooBar        count
-------------------
foo,bar,baz          
foo,baz          
bar,x_waldo 

To split FooBar into individual values I use makemv:

| makemv delim="," FooBar | stats count by  FooBar

and it now returns this table as expected:

FooBar        count
-------------------
foo              
bar              
baz
x_waldo

So far so good.

How can I exclude any values that start with "x_", as in "x_waldo" ?
I tried a simpler task to remove "x_waldo" (instead of excluding all values that start with "x_" pattern) using mvfilter but it did not work. Thank you!

Tags (1)
0 Karma
1 Solution

mhpark
Path Finder

Can't you just add a

| search FooBar!=x_*

at the end of the query?

View solution in original post

0 Karma

mhpark
Path Finder

Can't you just add a

| search FooBar!=x_*

at the end of the query?

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!