×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
chrids
Explorer
Member since: ‎04-01-2022
‎04-07-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎04-01-2022
Activity Feed
View All

Re: How to filter a multivalue field using a subse...

by in Splunk Search
‎04-04-2022 03:14 AM
‎04-04-2022 03:14 AM
Got it working! Thanks so much! I had a syntax error and changed it to a final: | eval bar_filtered = mvfilter(NOT [ | makeresults | append [ | search foo | rename foobar as bar | fields bar ] | format "(" "" "" "" "OR" ")" ] )   ... View more

Re: How to filter a multivalue field using a subse...

by in Splunk Search
‎04-03-2022 09:41 PM
‎04-03-2022 09:41 PM
It's almost there, I can't manage to replace the two "| makeresults/| append" with a "| search" however in the final query. This:   | makeresults | eval mymvfield = "b" | append [| makeresults | eval mymvfield = "c"] | format "" "" "" "" "AND" ""    evaluates to:   mymvfield="b" AND mymvfield="c"     My reduced use-case:   | makeresults | append [ | search foo | fields bar | head 2] | format "" "" "" "" "AND" ""   evaluates to:   bar="result1" AND bar="result2"     Wrapping that into mvfilter(NOT [ .. ]) gives me: Error in 'eval' command: The expression is malformed.  ... View more

How to filter a multivalue field using a subsearch...

by in Splunk Search
‎04-01-2022 11:20 AM
‎04-01-2022 11:20 AM
I found a close answer to what I'm looking for here: https://community.splunk.com/t5/Splunk-Search/Why-cant-i-supply-a-field-as-value-for-mvfilter/m-p/450564/highlight/true#M127583 The example, excludes 1 example, add \"a\" for more, which works: | makeresults | eval mymvfield ="a b c" | makemv mymvfield | eval excludes = mvfilter(NOT in(mymvfield, [| makeresults | eval search = "\"b\"" | return $search])) What I'm looking for, use return which seemingly translates to (b) OR (a) ... : | makeresults | eval mymvfield ="a b c" | makemv mymvfield | eval excludes = mvfilter(NOT in(mymvfield, [| search something | return 3 $some_field])) I get weird parsing errors which I thought maybe could be solved by using "format" but I'm at a loss. I reckon you could probably solve this by doing a subsearch and filtering prior to making the multivalue field, I'm however curious if you can make this query work. Please let me know if anything is unclear. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎04-07-2022 05:56 AM
Karma given to
View All