Usage of Splunk EVAL Function : MVFILTER

  • This function filters a multivalue field based on a Boolean Expression X .
  • X can take only one multivalue field at a time.

  Find below the skeleton of the usage of the function “mvfilter” with EVAL :

….. |  eval New_Field=mvfilter(X)

Example 1:

index=_internal sourcetype=splunkd_ui_access
| stats values(method) as method by status
| head
| eval A=mvfilter(method!="GET")

Result:

mvfilter

Explanation:

In the above query “_internal” is index name and sourcetype name is “splunkd_ui_access”. By the “stats” command we have taken the multiple values of “method”  by “status”. Here “method” and “status” are existing field names in the “_internal” index. We have used the “values” argument with the “stats” command for taking “method” as a multivalue field. Then by the “head” command we have taken first 10 value from the result set. At last by the “mvfilter” function we have removed the “GET” value from the “method” field and taken into a new field A. We have used !” sign to remove the value from the result set. In this way we can filter our multivalue fields.

****************************************************************************

Example 2:

index=_internal sourcetype=splunkd_ui_access
| stats values(method) as method by status
| head
| eval A=mvfilter(method="GET" OR method="DELETE")

Result:

mfn1

Explanation:

In the above query “_internal” is index name and sourcetype name is “splunkd_ui_access”. By the “stats” command we have taken the multiple values of “method”  by “status”. Here “method” and “status” are existing field names in the “_internal” index. We have used the “values” argument with the “stats” command for taking “method” as a multivalue field. Then by the “head” command we have taken first 10 value from the result set. At last by the “mvfilter” function we have taken “GET”  and “DELETE” values from the “method” field and taken into a new field A. We have used OR to take multiple values from a multivalue field. In this way we can filter our multivalue fields.

*****************************************************************************

Example 3:

index=_internal sourcetype=splunkd_ui_access
| stats values(method) as method by status
| head
| eval A=mvfilter(method!="GET" AND method!="DELETE")

Result:

mfn2

Explanation:

In the above query “_internal” is index name and sourcetype name is “splunkd_ui_access”. By the “stats” command we have taken the multiple values of “method”  by “status”. Here “method” and “status” are existing field names in the “_internal” index. We have used the “values” argument with the “stats” command for taking “method” as a multivalue field. Then by the “head” command we have taken first 10 value from the result set. At last by the “mvfilter” function we have removed “GET”  and “DELETE” values from the “method” field and taken into a new field A. We have used AND to remove multiple values from a multivalue field. In this way we can filter our multivalue fields.

 

Now you can effectively utilize “mvfilter” function with “eval” command to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk EVAL Function : MVFILTER

 

Happy Splunking !!

Advertisements