2

I need to set the field value according to the existence of another event field (e.g. a field) in a multivalued field of the same event (e.g. mv_field)

Here is an example query, which doesn't work as I expected, because the ext_field always has the value "value_if_true"

| ...
| eval ext_field = if(in(mv_field, field), "value_if_true", "value_if_false")
| ...

Could You please, tell me what am I doing wrong?

Thanks!

Yaroslav Borysiuk
  • 61
  • 1
  • 6

1 Answers1

4

I've found an answer on my own, believe it will help somebody;)

| ...
| eval ext_field = if(isnull(mvfind(mv_field, field)), "value_if_false", "value_if_true")
| ...
Gokhan Arik
  • 2,626
  • 2
  • 24
  • 50
Yaroslav Borysiuk
  • 61
  • 1
  • 6
  • This is not entirely accurate. Reading the Splunk docs, the `mvfind` function uses a regex match, yielding the following undesirable behavior: ```| makeresults | eval my_multival="one,two,three" | makemv delim="," my_multival | eval value_to_compare="re" | eval is_present=if(isnull(mvfind(my_multival, value_to_compare)), "no", "yes") ``` Here, "yes" will be printed because "re" is a substring of "three". Instead, if you had used "^re$", then you will correctly get "no". So if you had "^three$", then you get "yes". – Pasindu Muthukuda Jul 25 '23 at 20:48