Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for events where a specific field value in a multivalue field is NOT the first value per event?

edrivera3
Builder
‎04-06-2015 11:06 AM

Hi
I extracted a multivalue field called error_number which contains all errors in each event. I would like to make a search for those events in which the first field value(in error_number) that appear in the event is not equal to "23424". The error_number="23424" could appear in the event, but it cannot be the first error_number in the event.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎04-06-2015 12:13 PM

This should work:

yoursearchhere 
| eval error_number0 = mvindex(error_number,0)
| where error_number0 != "23424"

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎04-06-2015 12:13 PM

This should work:

yoursearchhere 
| eval error_number0 = mvindex(error_number,0)
| where error_number0 != "23424"
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-06-2015 12:21 PM

Thank you. It worked perfectly.

0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-08-2015 09:35 AM

Hi
Is there a way that I could get only the field values that happened before the field value, error_number=23424 ? For example I have the following errors in one event: 1002, 3450, 23424, and 34332. All of the errors are in the multi-value field error_number.

I would like to save only the field value, error_number=3450.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-08-2015 10:04 AM 
 yoursearchhere 
 | eval index = mvfind(error_number,"23424")
 | where isnotnull(index) AND index!=0 
 | eval new_error_number = mvindex(error_number,index-1)

If you actually want to set error_number to the single value that preceded "23424", just change new_error_number to error_number

Reply
Solved! Jump to solution

edrivera3
Builder
‎04-08-2015 11:37 AM

Thank you. It worked perfectly. I appreciate your help.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...