Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Removing some field values from a mulitiple value field

jamesdon
Path Finder
‎03-31-2011 09:22 PM

Hello,

I am looking at the results of a table lookup, where there many values for a particular field are returned. This is exactly what I want, but I would like to further evaluate one of the fields and only show the tabled results that match a string.

When I attempt to pipe my search into another search, the all of fields still remain, even if I try to match against field_name=one_of_many_values. Is there a away to remove these fields from the search results / MVF?

Thank you,

Jim

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎04-01-2011 02:03 PM

Yes, you can use the "mvfilter" function of the "eval" command. For instance:

... | eval field_name = mvfilter(field_name LIKE "abc-%")

This will retain all values that start with "abc-."

In general, you can put any predicate in mvfilter, and eval will iterate through all the values of the implied multi-valued field and keep only those that evaluate to "true".

View solution in original post

Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎04-01-2011 02:03 PM

Yes, you can use the "mvfilter" function of the "eval" command. For instance:

... | eval field_name = mvfilter(field_name LIKE "abc-%")

This will retain all values that start with "abc-."

In general, you can put any predicate in mvfilter, and eval will iterate through all the values of the implied multi-valued field and keep only those that evaluate to "true".

Reply
Solved! Jump to solution

joebensimo
Path Finder
‎06-20-2014 02:03 PM

This only works if the value for which you want to filter is constant. The mvfilter command won't accept field names as part of the boolean expression other than the multi-value field being filtered.

0 Karma
Reply
Solved! Jump to solution

jamesdon
Path Finder
‎04-08-2011 08:24 PM

OK, maybe not perfectly - and I am changing up my requirements a bit. I have a table of report_name, and report_type and they are both MV fields. I only want to print out the report_name, where the report_type=chart.

When using mvfilter, I cannot filter out the report_type that we removed with the filter, unless I display their fields alone. Unfortunately, the field that I want a unique list of, I also want to hide in the tabled results.

0 Karma
Reply
Solved! Jump to solution

jamesdon
Path Finder
‎04-08-2011 07:45 PM

This works out perfectly!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...