Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

mvfind can't see spaces and parenthesis

LHAYNES020
Explorer
‎12-15-2022 08:00 AM

I'm trying to use where(isnotnull(mvfind(mvfield,field))) to search to see which records are part of a list. The fields are all strings, and some of them have parentheticals at the end. I noticed that mvfind does not seem to capture these fields. To illustrate my point, try the following search.

 

 

| makeresults count=10 
| streamstats count as n 
| eval n=n-1 
| eval n=case(n<3,"Test (".n.")",n<6,"Test ".n,n<9,"(".n.")",1=1,n) 
| eventstats list(n) as mv 
| eval index=mvfind(mv,n)

 

 

When you do, you'll see that items 3-9 are captured, but 0-2 are not, even though the very values of n were used to generate the mv field.

I currently have a workaround to just use rex commands to substitute different strings for the parenthesis, run my mvfind, and then use rex to substitute them back, but it feels a little ridiculous. Does anyone know why mvfind doesn't work here or a cleaner way to fix it? 

 

Labels (4)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-15-2022 10:27 AM

The mvfind function matches by regular expression rather than exact string.  The parentheses in n represent a capture group and don't match the text in mv.  I cannot, however, explain why the code works for values 6-8.

 

| makeresults count=10 
| streamstats count as n 
| eval n=n-1 
| eval n=case(n<3,"Test (".n.")",n<6,"Test ".n,n<9,"(".n.")",1=1,n) 
| eventstats list(n) as mv 
| eval n=replace(n,"\(", "\\("), n=replace(n,"\)", "\\)")
| eval index=mvfind(mv,n)

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-15-2022 10:35 AM

This might give a better example of how mvfind works

| makeresults count=10 
| streamstats count as n 
| eval n=n-1 
| eval n=case(n<3,"Test (".n.")",n<6,"Test ".(n-3),n<9,"(".(n-6).")",1=1,n) 
| eventstats list(n) as mv 
| eval index=mvfind(mv,n)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-15-2022 10:23 AM

mvfind is working correctly, the second parameter is taken as a regex so you are right to substitute in escape characters where necessary.

https://docs.splunk.com/Documentation/SCS/current/SearchReference/MultivalueEvalFunctions#mvfind.28.... 

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...