Splunk Search

Removing some field values from a mulitiple value field

jamesdon
Path Finder

Hello,

I am looking at the results of a table lookup, where there many values for a particular field are returned. This is exactly what I want, but I would like to further evaluate one of the fields and only show the tabled results that match a string.

When I attempt to pipe my search into another search, the all of fields still remain, even if I try to match against field_name=one_of_many_values. Is there a away to remove these fields from the search results / MVF?

Thank you,

Jim

Tags (1)
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

Yes, you can use the "mvfilter" function of the "eval" command. For instance:

... | eval field_name = mvfilter(field_name LIKE "abc-%")

This will retain all values that start with "abc-."

In general, you can put any predicate in mvfilter, and eval will iterate through all the values of the implied multi-valued field and keep only those that evaluate to "true".

View solution in original post

Stephen_Sorkin
Splunk Employee
Splunk Employee

Yes, you can use the "mvfilter" function of the "eval" command. For instance:

... | eval field_name = mvfilter(field_name LIKE "abc-%")

This will retain all values that start with "abc-."

In general, you can put any predicate in mvfilter, and eval will iterate through all the values of the implied multi-valued field and keep only those that evaluate to "true".

joebensimo
Path Finder

This only works if the value for which you want to filter is constant. The mvfilter command won't accept field names as part of the boolean expression other than the multi-value field being filtered.

0 Karma

jamesdon
Path Finder

OK, maybe not perfectly - and I am changing up my requirements a bit. I have a table of report_name, and report_type and they are both MV fields. I only want to print out the report_name, where the report_type=chart.

When using mvfilter, I cannot filter out the report_type that we removed with the filter, unless I display their fields alone. Unfortunately, the field that I want a unique list of, I also want to hide in the tabled results.

0 Karma

jamesdon
Path Finder

This works out perfectly!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...