The Splunk Threat Research Team (STRT) continuously monitors the threat landscape to develop, test, and deliver custom detection searches to help identify vulnerabilities and cyber attacks within your. Usage. | eval mv_Results=mvfilter (mv_B > A) However, this does NOT work. Multivalue fields can also result from data augmentation using lookups. Hi, I would like to count the values of a multivalue field by value. . I create a MV field for just the value I am interested in, determine the total count, and then return the value at the index of count-1. In regards to your other observation, 100 might be the visible display limit, but the other limit in eventstats is memory based (the default is 200MB per search using eventstats). | eval field_C =if(isnotnull(mvfind(field_B,field_A)),field_A,null())Migrate Splunk detection rules to Microsoft Sentinel . Check "Advanced options", scroll down to "Match type", enter CIDR (clientip), clientip being the. A filler gauge includes a value scale container that fills and empties as the current value changes. It's a bit hack-y, as it adds two multivalue fields to each event - the holiday name and date. Neither of these appear to work for me: y=mvfilter(isnotnull(x)) y=mvfilter(!isnull(x)) While this does:COVID-19 Response SplunkBase Developers Documentation. How to use mvfilter to get list of data that contain less and only less than the specific data?Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. It works! mvfilter is useful, i didn´t know about it, and single quotes is what i needed. Splunk Enterprise. index="456446" | lookup 456446_lookup component_id as column_a outputnew value as comparison_field | table column_a, column_b, comparison_field | where column_b < comparison_field. g. com in order to post comments. The following list contains the functions that you can use to compare values or specify conditional statements. This function filters a multivalue field based on a Boolean Expression X . Now, I want to take the timestamp lets say, 15-5-2017, and iterate down the Time column, and match another row with the same timestamp. See the Data on Splunk Training. We’ve gathered, in a single place, the tutorials, guides, links and even books to help you get started with Splunk. The first change condition is working fine but the second one I have where I setting a token with a different value is not. 0. 8 – MVFILTER(mvfilter) mvfilter() gives the result based on certain conditions applied on it. The best way to do is use field extraction and extract NullPointerException to a field and add that field to your search. 06-28-2021 03:13 PM. COVID-19 Response SplunkBase Developers Documentation. “ match ” is a Splunk eval function. with. When I did the search to get dnsinfo_hostname=etsiunjour. Splunk Cloud Platform translates all that raw data [25 million monthly messages] into transparent, actionable insights that teams across Heineken use to resolve operational issues and improve performance. I am analyzing the mail tracking log for Exchange. Splunk Employee. 06-20-2022 03:42 PM. BrowseEdit file knownips. Hi, We have a lookup file with some ip addresses. . This function will return NULL values of the field as well. don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there Note the value of search needs to be enclosed in " " , so you may need to do an eval before calling return to add the double quotesThe mvfilter command LOOKS similar to what I want, but in reverse (the mv variables are the regexes, of which any match is a reason to exit the search). Solved: Currently, I have a form with a search that populates a two column table, and am using one of the columns as a key to append a third. April 1, 2022 to 12 A. I am trying the get the total counts of CLP in each event. Alerting. names. This function filters a multivalue field based on an arbitrary Boolean expression. Thank you. mvfilter(<predicate>) Description. You can use fillnull and filldown to replace null values in your results. I am trying to figure out when. Thanks!COVID-19 Response SplunkBase Developers Documentation. The command generates events from the dataset specified in the search. 201. Remove mulitple values from a multivalue field. Here's what I am trying to achieve. Splunk Tutorial: Getting Started Using Splunk. COVID-19 Response SplunkBase Developers Documentation. Now add this to the end of that search and you will see what the guts of your sparkline really is:I'm calculating the time difference between two events by using Transaction and Duration. The fillnull command replaces null values in all fields with a zero by default. com in order to post comments. Solution . | eval [new_field] = mvfilter (match ( [old mv field], " [string to match]")) View solution in original post. | eval mv_Results=mvfilter (mv_B > A) However, this does NOT work. Reply. Identify and migrate rules Usage of Splunk EVAL Function: MVINDEX : • This function takes two or three arguments ( X,Y,Z) • X will be a multi-value field, Y is the start index and Z is the end index. | eval New_Field=mvfilter(X) Example 1: See full list on docs. Reply. Any help would be appreciated 🙂. The search command is an generating command when it is the first command in the search. conf/. If you ignore multivalue fields in your data, you may end up with missing. 201. The field "names" must have "bob". Curly braces (and the dot, actually) are special characters in eval expressions, so you will need to enclose the field name in single quotes: 'hyperlinks{}. The mvfilter function works with only one field at a time. You can accept selected optional. you can 'remove' all ip addresses starting with a 10. 1 Karma Reply. This function can also be used with the where command and the fieldformat command, however, I will only be showing some examples. 02-24-2021 08:43 AM. mvzipコマンドとmvexpand. 10-17-2019 11:44 AM. This video shows you both commands in action. . , 'query_1_z']}, [, match_missing= {True, False}]) Pass a. View solution in original post. 1 Karma. containers{} | mvexpand spec. If anyone has this issue I figured it out. OR, you can also study this completely fabricated resultset here. You want to create a field which is the URL minus the UserId part, And therefore the stats will be grouped by which url is called. For example, if you search for Location!="Calaveras Farms", events that do not have Calaveras Farms as the Location are. For example, the duration as days between the "estimated delivered date" and the "actual delivered date" of a shipping package: If the actual date is "2018-04-13 00:00:00" and the estimated one is "2018-04-15 00:00:00", the result will be . Multifields search in Splunk without knowing field names. Log in now. With a few values I do not care if exist or not. Help returning stats with a value of 0. 10)). Suppose you have data in index foo and extract fields like name, address. We help security teams around the globe strengthen operations by providing. The documentation states the following: mvfilter (X) This function filters a multivalue field based on an arbitrary Boolean expression X. Use the mvcount, mvindex, and mvfilter eval functions to evaluate Topic 4 – Analymultivalue fieldsze Multivalue Data Use the mvsort, mvzip, mvjoin, mvmap, and mvappend eval functions and the mvexpand command to analyze multivalue data AboutSplunk Education Splunk classes are designed for specific roles such as Splunk count events in multivalue field. All detections relevant to a particular threat are packaged in the form of analytic stories (also known as use cases). 1: DO NOT CHANGE ANYTHING ABOUT THE "SUBMIT" checkbox other than cosmetic things (e. mvfilter(<predicate>) Description. I am trying to format multi-value cell data in a dashboard table using mvmap in an eval token before passing it on to a drilldown, however I am unable to figure out how to format the eval function and if this approach would work at all. 1 Found the answer after posting this question, its just using exiting mvfilter function to pull the match resutls. . 0. This function is useful for checking for whether or not a field contains a value. your_search Type!=Success | the_rest_of_your_search. host=test* | transaction Customer maxspan=3m | eval logSplit = split (_raw. Sample example below. It worked. And when the value has categories add the where to the query. I have a single value panel. You must be logged into splunk. Hello, I need to evaluate my _time against a list of times output from a lookup table and produce a calculated field "nextPeriodTime" which is the next time after _time. New to Splunk, need some guidance on how to approach the below: Need to find null values from multivalue field. Also you might want to do NOT Type=Success instead. I am trying to use look behind to target anything before a comma after the first name and look ahead to. Below is my query and screenshot. Description. | spath input=spec path=spec. BrowseIt's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card! Review: SOAR (f. When you use the untable command to convert the tabular results, you must specify the categoryId field first. BrowseUsage of Splunk EVAL Function : MVCOUNT. don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there Note the value of search needs to be enclosed in " " , so you may need to do an eval before calling return to add the double quotesComparison and Conditional functions. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers. Splunk Threat Research Team. We can also use REGEX expressions to extract values from fields. There is also could be one or multiple ip addresses. 201. in Following search query we need to pass the value for nonsupporting days dynamically based on the criteria. Community; Community; Splunk Answers. - Ryan Kovar In our last post on parsing, we detailed how you can pass URL Toolbox a fully qualified domain name or URL and receive a nicely parsed set of fields that. Usage of Splunk EVAL Function : MVCOUNT. BUT, you will want to confirm with data owners the indexes aren't actually being used since, again, this search is not 100%. Each event has a result which is classified as a success or failure. The classic method to do this is mvexpand together with spath. Explorer 03-08-2020 04:34 AM. Filter values from a multivalue field. It takes the index of the IP you want - you can use -1 for the last entry. Splunk, Splunk>, Turn Data Into. I have a lot to learn about mv fields, thanks again. So the scenarios is like this - I have a search query which gets a web service response in which there is a tag "identifier" and this tags occurs multiple times in the same event with values like like P123456, D123465 etc. AD_Name_C AD_Name_C AD_Name_B AD_Name_B AD_Name_A AD_Name_A 2. attributes=group,role. Description. To determine the time zone to assign to a timestamp, Splunk software uses the following logic in order of precedence: Use the time zone specified in raw event data (for example, PST, -0800), if present. i'm using splunk 4. index=indexer action= Null NOT [ | inputlookup excluded_ips | fields IP | format ] The format command will change the list of IPs into ( (IP=10. I want to deal the multivalue field to get the counts whch is satisfied the conditions I set. If you have 2 fields already in the data, omit this command. Reply. You should be able to do a normal wildcard lookup for exclusions and then filter on the looked up field. Yes, timestamps can be averaged, if they are in epoch (integer) form. But when I join using DatabaseName, I am getting only three records, 1 for A, 1 for B with NULL and 1 for C. And you will end up with: aName=Field1 aValue=123 Field1=123 aName=Field1 aValue=234 Field1=234 aName=Field2 aValue=345. Change & Condition within a multiselect with token. Refer to the screenshot below too; The above is the log for the event. len() command works fine to calculate size of JSON object field, but len()Same fields with different values in one event. 02-05-2015 05:47 PM. JSON array must first be converted to multivalue before you can use mv-functions. You must be logged into splunk. This is using mvfilter to remove fields that don't match a regex. BrowseThe Splunk Search Command, mvzip, takes multivalue fields, X and Y, and combines them by stitching together. your current search giving Date User list (data) | where isnull (mvfilter ('list (data)'>3)) | chart count (user) by date. . Run Your Heroku app With OpenTelemetry This blog post is part of an ongoing series on OpenTelemetry. Partners Accelerate value with our powerful partner ecosystem. I need to be able to return the data sources in the panel EVEN if they return 0 events per data source. When I build a report by Account Name it looks like there were two events instead of one, because Splunk is indexing Account Name twice in this case. Use the mvcount, mvindex, and mvfilter eval functions to evaluate multivalue fields Topic 4 – Analyze Multivalue Data Use the mvsort, mvzip, mvjoin, mvmap, and mvappend eval. Splunk Enterprise users can create ingest-time eval expressions to process data before indexing occurs. The problem I am facing is this search is working fine with small size events but when it comes to large events with more CLP counts. Any ideas on how to do that? For example, if I add "BMW" in the text box, it should get added to the "Car List" Multiselect input. In Bro DNS logs, query and response information is combined into a single event, so there is not Bro. When you untable these results, there will be three columns in the output: The first column lists the category IDs. 32. The problem I am facing is this search is working fine with small size events but when it comes to large events with more CLP counts. . Browse . conf, if the event matches the host, source, or source type that. Verify whether your detections are available as built-in templates in Microsoft Sentinel: If the built-in rules are sufficient, use built-in rule templates to create rules for your own workspace. g. Having the data structured will help greatly in achieving that. Mvfilter: Eg: mvfilter (eval (x!=userId))I'm not sure what the deal is with mvfind, but would this work?: search X | eval a=mvfilter(eventtype LIKE "network_%") | search a=* | COVID-19 Response SplunkBase Developers Documentation BrowseHi, I am building a dashboard where I have an multi-select input called locations, which is populated with a query via the dynamic options. Regards, VinodSolution. So X will be any multi-value field name. Try Splunk Cloud Platform free for 14 days. I'd like to filter a multivalue field to where it will only return results that contain 3 or more values. Motivator 01-27. The mvcombine command creates a multivalue version of the field you specify, as well as a single value version of the field. | gentimes start=1/1/17 end=10/1/18 increment=1d | rename starttime AS _time | stats sparkline (count, 2h) AS sparkline. I have this panel display the sum of login failed events from a search string. This video shows you both commands in action. substraction: | eval field1=mvfilter(match(field, "OUT$")) <-substract-> | eval field1=mvfilter(match(field, "IN$")) knitz. index = test | where location="USA" | stats earliest. Splunk Data Fabric Search. To simplify the development process, I've mocked up the input into a search as so: eventtype=SomeEventType | eval servers="serverName01;serverName02;serverName03" | makemv delim=";" servers |. 156. 2 Karma. For example: | makeresults | eval values_type=split ( "value1,value2,value1,value2,value1,value2,value1,value2,value2,value2,value2,",",") | eval values_count=mvcount (values_type) | eval value1=mvfilter (match. containers{} | where privileged == "true" With your sample da. This function removes the duplicate values from a multi-value field. This machine data can come from web applications, sensors, devices or any data created by user. i tried with "IN function" , but it is returning me any values inside the function. A new field called sum_of_areas is created to store the sum of the areas of the two circles. | gentimes start=1/1/17 end=10/1/18 increment=1d | rename starttime AS _time | stats sparkline (count, 2h) AS sparkline. The Boolean expression can reference ONLY ONE field at a time. However, for events such as email logs, you can find multiple values in the “To” and “Cc” fields. The syntax of the <predicate-expression> is checked before running the search, and an exception is returned for an invalid expression. The syntax is simple: field IN. If X is a multi-value field, it returns the count of all values within the field. COVID-19 Response SplunkBase Developers DocumentationBased on your description, the only information the second search needs from the first search is host, the time the host got compromised, and 120 seconds after that time. 94, 90. Suppose I want to find all values in mv_B that are greater than A. My use case is as follows: I have sourcetype-A that returns known malicious indicators (through multi-valued fields) I have sourcetype-B that has DNS query logs from hosts I'd like to make a search where I compile a. i've also tried using the mvindex () command with success, however, as the order of the eventtype mv is never the same. Numbers are sorted before letters. Industry: Software. 0. In splunk docs I read that mvfilter in combination with isnotnull or !isnull functions can be used when you want to return only values that are not NULL from a multivalue field. Something like that:Using variables in mvfilter with match or how to get an mvdistinctcount(var) chris. In the following Windows event log message field Account Name appears twice with different values. You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions. W hether you are new to Splunk or just needing a refresh, this article can guide you to some of the best resources on the web for using Splunk. There are at least 1000 data. containers {} | spath input=spec. Let say I want to count user who have list (data) that contains number less and only less than "3". Usage of Splunk Eval Function: MATCH. we can consider one matching “REGEX” to return true or false or any string. his example returns true IF AND ONLY IF field matches the basic pattern of an IP address. Log in now. If you search with the != expression, every event that has a value in the field, where that value does not match the value you specify, is returned. I narrowed down the issue to an eval statement in the drilldown - |eval k=mvfilter(match(t, ",1$")) - to match a field that ends with ,1. Hi, In excel you can custom filter the cells using a wild card with a question mark. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. | spath input=spec path=spec. And this is the table when I do a top. It can possibly be done using Splunk 8 mvmap and I can think of a couple of other possibilities, but try this and see if it works for you. Exception in thread "main" com. userPr. And you will end up with: aName=Field1 aValue=123 Field1=123 aName=Field1 aValue=234 Field1=234 aName=Field2 aValue=345. I would like to remove multiple values from a multi-value field. search command usage. A new field called sum_of_areas is. There might be better ways to do it. Paste the following search verbatim into your Splunk search bar and you'll get a result set of 8 rows, where the 7th row turns out to be an "alpha" that we want to filter out. Dashboards & Visualizations. This function takes matching “REGEX” and returns true or false or any given string. In regards to your other observation, 100 might be the visible display limit, but the other limit in eventstats is memory based (the default is 200MB per search using eventstats). This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter. The classic method to do this is mvexpand together with spath. See why organizations trust Splunk to help keep their digital systems secure and reliable. 1. outlet_states | | replace "false" with "off" in outlet_states. You can learn anytime, from anywhere about a range of topics so you can become a Splunk platform pro. You should be able to do a normal wildcard lookup for exclusions and then filter on the looked up field. 2. | datamodel | spath output=modelName modelName | search modelName!=Splunk_CIM_Validation `comment ("mvexpand on the fields value for this model fails with default settings for limits. Given that you specifically need to know what's missing from yesterday and what's missing from today (as opposed to what's missing from either of the two days) I think two separate mvmaps will be the best solution as oppsosed to using mvappend and working out. | stats count | fields - count | eval A=split("alpha,alpha,beta,c,d,e,alpha,f",",") | mvexpand AHi, We have a lookup file with some ip addresses. g. 1. You can use mvfilter to remove those values you do not want from your multi value field. Once you have the eventtypes defined, use eval with mvfilter to get rid of any extraneous eventtypes, and then create your table: eventtype="webapp-error-*" | eval errorType = mvfilter (eventtype LIKE "webapp-error-%") | stats count by sourcetype, errorType. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. If X is a multi-value field, it returns the count of all values within the field. Splunk search - How to loop on multi values field. However, when there are no events to return, it simply puts "No. Splunk Employee. “ match ” is a Splunk eval function. Try something like this | makeresults | eval mymvfield ="a b c" | makemv mymvfield | eval excludes = mvfilter(NOT [| makeresults | evalCOVID-19 Response SplunkBase Developers Documentation. | spath input=spec path=spec. In this example we want ony matching values from Names field so we gave a condition and it is. 1) The data is ingested as proper JSON and you should be seeing multivalued field for your array elements (KV_MODE = json) 2) As you said, responseTime is the 2nd element in and it appears only one. 04-04-2023 11:46 PM. Usage of Splunk EVAL Function : MVCOUNT. An ingest-time eval is a type of transform that evaluates an expression at index-time. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you. Upload CSV file in "Lookups -> Lookup table files -> Add new". 3. I realize the splunk doesn't do if/then statements but I thought that was the easiest way to explain. - Ryan Kovar In our last post on parsing, we detailed how you can pass URL Toolbox a fully qualified domain name or URL and receive a nicely parsed set of fields that. This function filters a multivalue field based on an arbitrary Boolean expression. Stream, collect and index any type of data safely for enterprise level insights for IT, Security. For this simple run-anywhere example I would like the output to be: Event failed_percent open . Diversity, Equity & Inclusion Learn how we. Also, I include a static option called "ANY" with a value * I have also a token prefix and suffix of double quotes (") and the delimiter of a coma ( , )Suppose I want to find all values in mv_B that are greater than A. Customers Users Wells fargo [email protected]. Let's call the lookup excluded_ips. Hello all, I'm having some trouble formatting and dealing with multivalued fields. The expression can reference only one field. to be particular i need those values in mv field. Splunk Administration; Deployment Architecture. search X | eval mvfind ( eventtype, "network_*" ) but it returns that the 'mvfind' function is unsupported. 05-25-2021 03:22 PM. Expanding on @richgalloway's answer, you can do this: index=ndx sourcetype=srctp mvfield="foo" | where mvindex (mvfield,0)="foo". String mySearch = "search * | head 5"; Job job = service. Hello, I need to evaluate my _time against a list of times output from a lookup table and produce a calculated field "nextPeriodTime" which is the next time after _time. I came quite close to the final desired result by using a combination of eval, forearch and mvfilter. Neither of these appear to work for me: y=mvfilter (isnotnull (x)) y=mvfilter (!isnull (x)) While this does: y=mvfilter (x!="NULL"))Remove mulitple values from a multivalue field. The documentation states the following: mvfilter (X) This function filters a multivalue field based on an arbitrary Boolean expression X. This example uses the pi and pow functions to calculate the area of two circles. I think this is just one approach. Is it possible to use the commands like makemv or nomv in data models? I am using regular expressions while building the datamodel for extracting some of the fields. This function takes maximum two ( X,Y) arguments. 31, 90. | gentimes start=1/1/17 end=10/1/18 increment=1d | rename starttime AS _time | stats sparkline (count, 2h) AS sparkline. len() command works fine to calculate size of JSON object field, but len() command doesn't work for array field. The documentation states the following: mvfilter (X) This function filters a multivalue field based on an arbitrary Boolean expression X. | eval remote_access_port = mvfilter (destination_ports="4135") 1 Karma. Data is populated using stats and list () command. 156. Data exampleHow Splunk software determines time zones. There are several ways that this can be done. COVID-19 Response SplunkBase Developers DocumentationSplunk Tutorial. containers {} | spath input=spec. Functions of “match” are very similar to case or if functions but, “match” function deals. In the example above, run the following: | eval {aName}=aValue. splunk. | eval mv_Results=mvfilter (mv_B > A) However, this does NOT work. to be particular i need those values in mv field. Find below the skeleton of the usage of the function “mvdedup” with EVAL :. url' @yuanliu - Yeah, mvfilter can reference only one field, the rest should be only string/pattens. The use of printf ensures alphabetical and numerical order are the same. With the fieldformat command you can use an <eval-expression> to change the format of a field value when the results render. | eval mv_Results=mvfilter (mv_B > A) However, this does NOT work. | eval first_element=mvindex (my_WT_ul,0) | eval same_ul = mvfilter (match (my_WT_ul, first_element)) | eval lang_change=mvcount (my_WT_ul)-mvcount (same_ul) The idea here being if all. If you reject optional cookies, only cookies necessary to provide you the services will be used. The reason for that is that Type!=Success implies that the field "Type" exists, but is not equal to "Success". | eval f1split=split (f1, ""), f2split=split (f2, "") Make multi-value fields (called f1split and f2split) for each target field. Click Local event log collection. com 123@wf. . Then, the user count answer should be "1". mvexpand breaks the memory usage there so I need some other way to accumulate the results. splunk. When you view the raw events in verbose search mode you should see the field names. | msearch index=my_metrics filter="metric_name=data. g. This is in regards to email querying. Alternatively, add | table _raw count to the end to make it show in the Statistics tab. 54415287320261. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers. It believes in offering insightful, educational, and valuable content and it's work reflects that. I am attempting to build a search that pulls back all logs that have a value in a multi-value field but do not have other values. com in order to post comments. We thought that doing this would accomplish the same:. . 12-18-2017 12:35 AM. Logging standards & labels for machine data/logs are inconsistent in mixed environments. This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter. Your command is not giving me output if field_A have more than 1 values like sr. • This function returns a subset field of a multi-value field as per given start index and end index. 3: Ensure that 1 search. It could be in IPv4 or IPv6 format. The reason for that is that Type!=Success implies that the field "Type" exists, but is not equal to "Success". org. I divide the type of sendemail into 3 types. . In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII. I'm struggling with a problem occurring in a drilldown search used in a dashboard panel. The second template returns URL related data. for every pair of Server and Other Server, we want the. The join command is an inefficient way to combine datasets. 01-13-2022 05:00 AM. There is also could be one or multiple ip addresses. g. Please try to keep this discussion focused on the content covered in this documentation topic. You could look at mvfilter, although I haven't seen it be used to for null. Filter values from a multivalue field. Splunk Platform Products. So, Splunk 8 introduced a group of JSON functions. . The expression can reference only one field. To monitor files and directories in Splunk Cloud Platform, you must use a universal or a heavy forwarder in nearly all cases. You can use this -. without the quotes, otherwise Splunk will literally be looking for the string "Type!=Success". That's not how the data is returned. If you do not want the NULL values, use one of the following expressions: mvfilter(!isnull(<value>)) Usage of Splunk EVAL Function : MVFILTER . It's using mvzip to zip up the 3 fields and then filter out only those which do NOT have a - sign at the start, then extracting the fields out again. Filtering search results with mvfilter - (05-14-2019 02:53 PM) Getting Data In by CaninChristellC on 05-14-2019 02:53 PM Latest post on 05-15-2019 12:15 AM by knielsenHi, We have a lookup file with some ip addresses. your current search | eval yourfield=split(yourfield,"/") | eval filteredVal=mvfilter(match(yourfield,"Item2")) View solution in original post.