Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for events where a specific field value in a multivalue field is NOT the first value per event?

edrivera3
Builder
‎04-06-2015 11:06 AM

Hi
I extracted a multivalue field called error_number which contains all errors in each event. I would like to make a search for those events in which the first field value(in error_number) that appear in the event is not equal to "23424". The error_number="23424" could appear in the event, but it cannot be the first error_number in the event.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎04-06-2015 12:13 PM

This should work:

yoursearchhere 
| eval error_number0 = mvindex(error_number,0)
| where error_number0 != "23424"

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎04-06-2015 12:13 PM

This should work:

yoursearchhere 
| eval error_number0 = mvindex(error_number,0)
| where error_number0 != "23424"
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-06-2015 12:21 PM

Thank you. It worked perfectly.

0 Karma
Reply
Solved! Jump to solution

edrivera3
Builder
‎04-08-2015 09:35 AM

Hi
Is there a way that I could get only the field values that happened before the field value, error_number=23424 ? For example I have the following errors in one event: 1002, 3450, 23424, and 34332. All of the errors are in the multi-value field error_number.

I would like to save only the field value, error_number=3450.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎04-08-2015 10:04 AM 
 yoursearchhere 
 | eval index = mvfind(error_number,"23424")
 | where isnotnull(index) AND index!=0 
 | eval new_error_number = mvindex(error_number,index-1)

If you actually want to set error_number to the single value that preceded "23424", just change new_error_number to error_number

Reply
Solved! Jump to solution

edrivera3
Builder
‎04-08-2015 11:37 AM

Thank you. It worked perfectly. I appreciate your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...