Yaroslav Borysiuk
Reputation: 71
How to check if the multi-value field contains the value of the other field in Splunk
I need to set the field value according to the existence of another event field (e.g. a field) in a multivalued field of the same event (e.g. mv_field)
Here is an example query, which doesn't work as I expected, because the ext_field always has the value "value_if_true"
| ...
| eval ext_field = if(in(mv_field, field), "value_if_true", "value_if_false")
| ...
Could You please, tell me what am I doing wrong?
Thanks!
Upvotes: 3
Views: 9049
Answers (1)
Yaroslav Borysiuk
Reputation: 71
I've found an answer on my own, believe it will help somebody;)
| ...
| eval ext_field = if(isnull(mvfind(mv_field, field)), "value_if_false", "value_if_true")
| ...
Upvotes: 4
Related Questions
- Multifields search in Splunk without knowing field names
- Separate multiple search values with an OR clause with Splunk?
- Splunk conditional search
- Splunk: Return One or True from a search, use that result in another search
- Splunk search - How to loop on multi values field
- Searching for a particular kind of field in Splunk
- Splunk query do not return value for both columns together
- How to only extract match strings from a multi-value field and display in new column in SPLUNK Query
- Splunk match partial result value of field and compare results
- Checking Splunk logs for one string but not others