Splunk Search

Filtering on specific multivalue field value

frbuser
Path Finder

How do I return results based on a specific value of a multivalue field?

Example
returns all results where the 1st value of a multivalue field equals foo.

0 Karma

wmyersas
Builder

Expanding on @richgalloway's answer, you can do this:

index=ndx sourcetype=srctp mvfield="foo"
| where mvindex(mvfield,0)="foo"

Doing the mvfield="foo" in the first line of the search will throw-away all events where that individual value is not in the multivalue field.

Then the | where clause will further trim it

0 Karma

vnravikumar
Champion

Hi @frbuser

Please try

| makeresults 
| eval test_column="test,cpu,foo,digit" 
| append 
    [| makeresults 
    | eval test_column="foo,one,two"] 
| makemv delim="," test_column 
| eval found=mvfind(test_column,"foo") 
| search found=0

Here found=0 when foo appears as first value

frbuser
Path Finder

This requires adding a new field to every event. Is there anyway to do this via the initial search command?

The whole purpose is to retrieve the required events and doing it this way would require me to retrieve a larger subset first which is not very efficient in my case.

For some background, I am working with Windows event logs and I am filtering based on the Account_Name field. This field is however a multivalue field.

If I filter by any other criteria first, the query takes a long time to execute because there are so may logs to iterate through.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Something like | where mvindex(myField, 0)="foo" ?

---
If this reply helps you, Karma would be appreciated.

frbuser
Path Finder

This requires that you retrieve a subset of events first. Is there anyway to do this earlier within a search command?

Otherwise it makes the query less efficient because I have to retrieve a high volume of events then further filter it with "where".

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would help to see some sample events.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...