Splunk Search

How do you change one value in a multivalue field?

wmyersas
Builder

I have tried

| eval mvindex(mvfield,0)="my new value"

But it does not work.

Is it even possible to change/replace/delete a single value in a multivalue field?

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@wmyersas

You can add/modify/delete the multivalued field (list) by following simple following approach.

Here, you need to separate the existing multivalued field into 2 temporary fields from your desired index values ( array index), see head and tail fields in the below examples. Using these fields we are able to perform ADD/EDIT/DELETE action on the value of index level.

Example:

ADD:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,new_val = "1000",head=mvindex(list,0,(selected_index)-1),tail=mvindex(list,(selected_index),mvcount(list)-1),new_list=mvappend(head,new_val,tail)

UPDATE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,selected_val = "1000",head=mvindex(list,0,(selected_index-1)),tail=mvindex(list,(selected_index+1),mvcount(list)-1),new_list=mvappend(head,selected_val,tail)

DELETE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), remove_index=1,head=mvindex(list,0,(remove_index-1)),tail=mvindex(list,(remove_index+1),mvcount(list)-1),new_list=mvappend(head,tail)

Note: Kindly carefully check the difference between the last eval in all 3 searches.

Thanks

View solution in original post

jocobknight
Explorer

If you don't know the index of the field you're trying to manipulate, then you can use a unique delimiter to unpack it, edit the value with string manipulation functions, and then repack it:

| makeresults
| eval log=split("ne,se,sw,nw", ",")
| eval old=log
| eval dlm="__".random()."__"
| eval log=mvjoin(log, dlm)
| eval log=replace(log, "n", "North-")
| eval log=replace(log, "s", "South-")
| eval log=replace(log, "e", "East")
| eval log=replace(log, "w", "West")
| eval log=split(log, dlm)

 

0 Karma

jocobknight
Explorer

(To be fair, the unique delimiter isn't necessary if you know your data well enough to pick a static one that won't conflict; it would be more performant than calculating a random integer every event)

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@wmyersas

You can add/modify/delete the multivalued field (list) by following simple following approach.

Here, you need to separate the existing multivalued field into 2 temporary fields from your desired index values ( array index), see head and tail fields in the below examples. Using these fields we are able to perform ADD/EDIT/DELETE action on the value of index level.

Example:

ADD:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,new_val = "1000",head=mvindex(list,0,(selected_index)-1),tail=mvindex(list,(selected_index),mvcount(list)-1),new_list=mvappend(head,new_val,tail)

UPDATE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), selected_index=1,selected_val = "1000",head=mvindex(list,0,(selected_index-1)),tail=mvindex(list,(selected_index+1),mvcount(list)-1),new_list=mvappend(head,selected_val,tail)

DELETE:

| makeresults count=10 
| eval n=1 
| accum n 
| stats delim="," values(n) as n 
| nomv n 
| eval list=split(n,","), remove_index=1,head=mvindex(list,0,(remove_index-1)),tail=mvindex(list,(remove_index+1),mvcount(list)-1),new_list=mvappend(head,tail)

Note: Kindly carefully check the difference between the last eval in all 3 searches.

Thanks

wmyersas
Builder

Don't know that I'd call that "simple" - but it does seem to work 🙂

0 Karma

sandeepmakkena
Contributor
| eval fields=split(mvfield,"/") 
| eval my_new_value=mvindex(fields,0)

before you use mvindex try using split before that.

Hope this helps, Thanks!

0 Karma

wmyersas
Builder

How is using split() on a multivalue field going to help?

in my example, mvfield is already multivalue - and there may (or may not) be any common character (eg /) in each item of the multivalue field

I want to change one specific item in a multivalue field - not create a multivalue field from a single value one

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What type of values are stored in yoru multivalued field and what updates you want to make? Does it depends upon the index of value or can be identified by some regex?

0 Karma

wmyersas
Builder

For the moment, assume it's text values (though it could be anything)

And, depending on the search, I may want to change a specific value to something else, delete it, or push a new value into the mvfield not at the end (this last instance might be possible with mvappend (https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/MultivalueEvalFunctions#mvappend....), but I'm not sure

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...