The first change condition is working fine but the second one I have where I setting a token with a different value is not. k. | eval [new_field] = mvfilter (match ( [old mv field], " [string to match]")) View solution in original post. Splunk Coalesce command solves the issue by normalizing field names. Information about Splunk's directors and executive officers, including their ownership of Splunk securities, is set forth in the proxy statement for Splunk's 2023. My use case is as follows: I have sourcetype-A that returns known malicious indicators (through multi-valued fields) I have sourcetype-B that has DNS query logs from hosts I'd like to make a search where I compile a. </change>" section that unsets BOTH these tokens: {"SUBMIT_CHECKBOX", "form. Filtering search results with mvfilter - (05-14-2019 02:53 PM) Getting Data In by CaninChristellC on 05-14-2019 02:53 PM Latest post on 05-15-2019 12:15 AM by knielsenHi, We have a lookup file with some ip addresses. I am using mvcount to get all the values I am interested for the the events field I have filtered for. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. The difficulty is that I want to identify duplicates that match the value of another field. data model. The search command is an generating command when it is the first command in the search. Return a string value based on the value of a field. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers. Because the search command is implied at the beginning of a search string, all you need to specify is the field name and a list of values. I have already listed them out from a comma separated value but, I'm having a hard time getting them the way I want them to display. | eval remote_access_port = mvfilter (destination_ports="4135") 1 Karma. Logging standards & labels for machine data/logs are inconsistent in mixed environments. This function is useful for checking for whether or not a field contains a value. We thought that doing this would accomplish the same:. Log in now. | gentimes start=-1 | eval field1=”pink,fluffy,unicorns” | table field1 | makemv field1 delim=”,” | eval field1_filtered=mvfilter (NOT match (field1,”pink”) AND NOT match (field1. key2. 32) OR (IP=87. What I want to do is to change the search query when the value is "All". Given that you specifically need to know what's missing from yesterday and what's missing from today (as opposed to what's missing from either of the two days) I think two separate mvmaps will be the best solution as oppsosed to using mvappend and working out. Thanks!COVID-19 Response SplunkBase Developers Documentation. For example, if you search for Location!="Calaveras Farms", events that do not have Calaveras Farms as the Location are. In the example above, run the following: | eval {aName}=aValue. Curly braces (and the dot, actually) are special characters in eval expressions, so you will need to enclose the field name in single quotes: 'hyperlinks{}. . csv as desired. Community; Community; Splunk Answers. 01-13-2022 05:00 AM. The following list contains the functions that you can use to compare values or specify conditional statements. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Use the TZ attribute set in props. Also, I include a static option called "ANY" with a value * I have also a token prefix and suffix of double quotes (") and the delimiter of a coma ( , )Suppose I want to find all values in mv_B that are greater than A. com in order to post comments. The filldown command replaces null values with the last non-null value for a field or set of fields. For instance: This will retain all values that start with "abc-. Regards, VinodSolution. index="nxs_mq" | table interstep _time | lookup params_vacations. Usage of Splunk EVAL Function : MVCOUNT. In the following Windows event log message field Account Name appears twice with different values. With your sample data, output is like. I have a lot to learn about mv fields, thanks again. Splunk search - How to loop on multi values field. 0. | makeresults | eval _raw="LRTransactions 0 48580100196 48580100231 48580100687 48580100744 48580100909 48580100910 48580101088 48580101119 48580101320" | multikv forceheader=1 | eval LRTransactions=split(LRTransactions," ") | table LRTransactions | eval LRTransactions. . This example uses the pi and pow functions to calculate the area of two circles. We can't use mvfilter here because you cannot reference multiple fields in mvfilter. . getJobs(). See Predicate expressions in the SPL2. Usage. Return a string value based on the value of a field. This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter. | search destination_ports=*4135* however that isn't very elegant. Click New to add an input. My answer will assume following. Change & Condition within a multiselect with token. Reply. 2: Ensure that EVERY OTHER CONTROL has a "<change>. Any help would be appreciated 🙂. len() command works fine to calculate size of JSON object field, but len()Same fields with different values in one event. Assuming you have a mutivalue field called status the below (untested) code might work. . Three things need to happen relating to "All" - if the selection is empty, put the default "All" in the form token; if "All" is added after another value, make the form token hold just "All"; and, if another value is added after "All", keep all values which aren't "All". The problem I am facing is this search is working fine with small size events but when it comes to large events with more CLP counts. I'd like to filter a multivalue field to where it will only return results that contain 3 or more values. For example, in the following picture, I want to get search result of (myfield>44) in one event. BrowseIt's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card! Review: SOAR (f. don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there Note the value of search needs to be enclosed in " " , so you may need to do an eval before calling return to add the double quotes Hi all, i want to hide / delete / exclude some keyword like " supersaiyan" , "leave" from the below event using mvfilter. for every pair of Server and Other Server, we want the. Turn on suggestions. Click Monitor to monitor Event Log data on the local Windows machine, or Forward to forward Event Log data from another Windows machine. Hello, I need to evaluate my _time against a list of times output from a lookup table and produce a calculated field "nextPeriodTime" which is the next time after _time. Splunk Administration; Deployment Architecture1. AB22- , AB43-, AB03- Are these searches possible in Splunk? If I write AB*- , it will match AB1233-, ABw-, AB22222222-. Use the mvcount, mvindex, and mvfilter eval functions to evaluate Topic 4 – Analymultivalue fieldsze Multivalue Data Use the mvsort, mvzip, mvjoin, mvmap, and mvappend eval functions and the mvexpand command to analyze multivalue data AboutSplunk Education Splunk classes are designed for specific roles such as Splunk count events in multivalue field. Usage. A new field called sum_of_areas is created to store the sum of the areas of the two circles. Splunk uses what’s called Search Processing Language (SPL), which consists of keywords, quoted phrases, Boolean expressions, wildcards (*), parameter/value pairs, and comparison expressions. In regards to your other observation, 100 might be the visible display limit, but the other limit in eventstats is memory based (the default is 200MB per search using eventstats). Filtering data Comments Download topic as PDF Filtering data When you aggregate data, sometimes you want to filter based on the results of the aggregate. k. | eval New_Field=mvfilter(X) Example 1: See full list on docs. That is stuff like Source IP, Destination IP, Flow ID. 05-18-2010 12:57 PM. Browse Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Unfortunately, you cannot filter or group-by the _value field with Metrics. Stream, collect and index any type of data safely for enterprise level insights for IT, Security. This function takes matching “REGEX” and returns true or false or any given string. For example: | makeresults | eval values_type=split ( "value1,value2,value1,value2,value1,value2,value1,value2,value2,value2,value2,",",") | eval values_count=mvcount (values_type) | eval value1=mvfilter (match. mvfilter(<predicate>) Description. It can possibly be done using Splunk 8 mvmap and I can think of a couple of other possibilities, but try this and see if it works for you. Usage. 156. Yes, timestamps can be averaged, if they are in epoch (integer) form. . And you will end up with: aName=Field1 aValue=123 Field1=123 aName=Field1 aValue=234 Field1=234 aName=Field2 aValue=345. You can try this: | rest /services/authentication/users |rename title as User, roles as Role |stats count by User Role |fields - count| appendcols [ |rest /services/authorization/roles |table title srchIndexesAllowed|rename title as Role]|stats values (Role) as Role values (srchIndexesAllowed) as Indexes by User. your current search | eval yourfield=split(yourfield,"/") | eval filteredVal=mvfilter(match(yourfield,"Item2")) View solution in original post. So, if the first search is already run, the most straight-forward solution would be a subsearch using the first CSV file. COVID-19 Response SplunkBase Developers Documentation. COVID-19 Response SplunkBase Developers DocumentationSyntax: <predicate-expression>. For example: | makeresults | eval values_type=split ( "value1,value2,value1,value2,value1,value2,value1,value2,value2,value2,value2,",",") | eval values_count=mvcount (values_type) | eval value1=mvfilter (match. I create a MV field for just the value I am interested in, determine the total count, and then return the value at the index of count-1. Fast, ML-powered threat detection. column2=mvfilter (match (column1,"test")) Share. value". Assuming you have a mutivalue field called status the below (untested) code might work. 05-24-2016 07:32 AM. In splunk docs I read that mvfilter in combination with isnotnull or !isnull functions can be used when you want to return only values that are not NULL from a multivalue field. The command generates events from the dataset specified in the search. And when the value has categories add the where to the query. All VFind Security ToolKit products feature a Cryptographic Integrity Tool (CIT), Universal Atomic Disintegrator (UAD) and MVFilter. How to use mvfilter to get list of data that contain less and only less than the specific data?It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card! Review: SOAR (f. If the field is called hyperlinks{}. It takes the index of the IP you want - you can use -1 for the last entry. index = test | where location="USA" | stats earliest. noun. Below is my dashboard XML. g. . If the role has access to individual indexes, they will show. csv) Define lookup in "Looksup -> Lookup definitions -> Add new". 05-25-2021 03:22 PM. With a few values I do not care if exist or not. The filldown command replaces null values with the last non-null value for a field or set of fields. We empower Splunkterns with mentoring and real work challenges, ensuring that they make meaningful contributions to our business. A new field called sum_of_areas is created to store the sum of the areas of the two circles. Once you have the eventtypes defined, use eval with mvfilter to get rid of any extraneous eventtypes, and then create your table: eventtype="webapp-error-*" | eval errorType = mvfilter (eventtype LIKE "webapp-error-%") | stats count by sourcetype, errorType. , 'query_z'] , 'property_name_1' : ['query_1','query_1_a',. Log in now. Now add this to the end of that search and you will see what the guts of your sparkline really is:Suppose I want to find all values in mv_B that are greater than A. It could be in IPv4 or IPv6 format. This is my final splunk query. g. can COVID-19 Response SplunkBase Developers Documentation Browse In splunk docs I read that mvfilter in combination with isnotnull or !isnull functions can be used when you want to return only values that are not NULL from a multivalue field. I want to use the case statement to achieve the following conditional judgments. * meaning anything followed by [^$] meaning anything that is not a $ symbol then $ as an anchor meaning that must be the end of the field value. Search filters are additive. The sort command sorts all of the results by the specified fields. - Ryan Kovar In our last post on parsing, we detailed how you can pass URL Toolbox a fully qualified domain name or URL and receive a nicely parsed set of fields that. So I found this solution instead. outlet_states | | replace "false" with "off" in outlet_states. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. status=SUCCESS so that only failures are shown in the table. Data is populated using stats and list () command. Using the query above, I am getting result of "3". conf/. g. Usage of Splunk EVAL Function : MVCOUNT. I need to search for *exception in our logs (e. If that answer solves your issue, please accept it so the question no longer appears open, and others have an easier time finding the answer. html). This function removes the duplicate values from a multi-value field. Neither of these appear to work for me: y=mvfilter (isnotnull (x)) y=mvfilter (!isnull (x)) While this does: y=mvfilter (x!="NULL")) don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there Note the value of search needs to be enclosed in " " , so you may need to do an eval before calling return to add the double quotes Solution. I envision something like the following: search. Hi All, I want to eliminate TruestedLocation = Zscaler in my splunk search result. You must be logged into splunk. 50 close . While on the component side, it does exactly as advertised and removes ALL from the multiselect component when something else is selected, Splunk itself does not appear to be honoring the update to the token. This is the most powerful feature of Splunk that other visualisation tools like Kibana, Tableau lacks. The Boolean expression can reference ONLY ONE field at. his example returns true IF AND ONLY IF field matches the basic pattern of an IP address. The regex is looking for . The second field has the old value of the attribute that's been changed, while the 3rd field has the new value that the attribute has been changed to. Administrator,SIEM can help — a lot. | stats count | fields - count | eval A=split("alpha,alpha,beta,c,d,e,alpha,f",",") | mvexpand AHi, We have a lookup file with some ip addresses. com [email protected] and I am attempting to use this JavaScript code to remove ALL from my multiselect. In the following Windows event log message field Account Name appears twice with different values. 2 or earlier, you would just have a single eval per field instead of multiple fields separated by commas, i. • Y and Z can be a positive or negative value. When working with data in the Splunk platform, each event field typically has a single value. Calculate the sum of the areas of two circles. But with eval, we cannot use rex I suppose, so how do I achieve this? Read some examples that we can use mvfilter along with a match function, but it didn't seem to work. If you make sure that your lookup values have known delimiters, then you can do it like this. A filler gauge includes a value scale container that fills and empties as the current value changes. You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions. host=test* | transaction Customer maxspan=3m | eval logSplit = split (_raw. We could even take action against the event in Splunk by copying it, redacting the password in the src_user field, and placing it in a summary index for further investigation. An absolute time range uses specific dates and times, for example, from 12 A. Today, we are going to discuss one of the many functions of the eval command called mvzip. That's why I use the mvfilter and mvdedup commands below. . In splunk docs I read that mvfilter in combination with isnotnull or !isnull functions can be used when you want to return only values that are not NULL from a multivalue field. can COVID-19 Response SplunkBase Developers Documentation BrowseIn splunk docs I read that mvfilter in combination with isnotnull or !isnull functions can be used when you want to return only values that are not NULL from a multivalue field. I am trying the get the total counts of CLP in each event. So I found this solution instead. This machine data can come from web applications, sensors, devices or any data created by user. Explorer 03-08-2020 04:34 AM. Upload CSV file in "Lookups -> Lookup table files -> Add new". The single value version of the field is a flat string that is separated by a space or by the delimiter that you specify with the delim argument. to be particular i need those values in mv field. The result of the values (*) function is a multi-value field, which doesn't work well with replace or most other commands and functions not designed for them. | eval NEW_FIELD=mvdedup(X) […] トピック1 – 複数値フィールドの概要. Your lookup could look like this: group_name,ShouldExclude group-foo-d-*,Exclude group-bar-t-*,Exclude. Below is the query that I used to get the duration between two events Model and Response host=* sourcetype=** source="*/example. here is the search I am using. a, instead of using mvindex/split use split to create a multivalue field and mvfilter to get the LoadBalancer wherever it is: sourcetype=aws:cloudwatch | spath path=SampleCount | spath path=metric_dimensions | spath path=metric_name | spath path=timestampe | search source = "*ApplicationELB" AND met. Splunk Enterprise users can create ingest-time eval expressions to process data before indexing occurs. index=test "vendorInformation. This example uses the pi and pow functions to calculate the area of two circles. If this reply helps you, Karma would be appreciated. So the scenarios is like this - I have a search query which gets a web service response in which there is a tag "identifier" and this tags occurs multiple times in the same event with values like like P123456, D123465 etc. You could look at mvfilter, although I haven't seen it be used to for null. Numbers are sorted based on the first. csv interstep OUTPUT 0900,1000,1100,1200,1300,1400,1500,1600,1700 |Hi, I have a log file that generates about 14 fields I am interested in, and of those fields, I need to look at a couple of fields and correlate on them, but still return the results of all. Community; Community; Splunk Answers. provider"=IPC | eval Event_Date=mvindex('eventDateTime',0) | eval UPN=mvindex('userStates{}. . key avg key1 100 key2 200 key3 300 I tried to use. First, I would like to get the value of dnsinfo_hostname field. 01-13-2022 05:00 AM. This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter. a. Help returning stats with a value of 0. No credit card required. This function filters a multivalue field based on an arbitrary Boolean expression. Description. column2=mvfilter (match (column1,"test")) Share Improve this answer Follow answered Sep 2, 2020 at 1:00 rockstar 87 2 11 Add a comment 0 | eval column2=split (column1,",") | search column2="*test*" Use the mvcount, mvindex, and mvfilter eval functions to evaluate multivalue fields Topic 4 – Analyze Multivalue Data Use the mvsort, mvzip, mvjoin, mvmap, and mvappend eval functions and the mvexpand command to analyze multivalue data Splunk Education Services About Splunk Education mvfilter(<predicate>) This function filters a multivalue field based on a predicate expression. The classic method to do this is mvexpand together with spath. with. This command changes the appearance of the results without changing the underlying value of the field. I am working with IPFix data from a firewall. I want specifically 2 charac. sjohnson_splunk. This function filters a multivalue field based on an arbitrary Boolean expression. | eval f1split=split (f1, ""), f2split=split (f2, "") Make multi-value fields (called f1split and f2split) for each target field. Browse . com is my is our internal email domain name, recipient field is the recipient of the email, either a single-valued field or a multi-valued field. . If X is a single value-field , it returns count 1 as a result. 12-18-2017 12:35 AM. Phantom) >> Enterprise Security >> Splunk Enterprise or Cloud for Security >> Observability >> Or Learn More in Our Blog >>This does not seem to be documented anywhere, but you can use the curly braces to create fields that are based on field values. Process events with ingest-time eval. create(mySearch); Can someone help to understand the issue. com your current search giving Date User list (data) | where isnotnull (mvfilter ('list (data)'<3)) | chart count (user) by date. For each resolve_IP, do lookups csv fil again to get:Splunk Geek is a professional content writer with 6 years of experience and has been working for businesses of all types and sizes. I want specifically 2 charac. If you search with the != expression, every event that has a value in the field, where that value does not match the value you specify, is returned. I don't know how to create for loop with break in SPL, please suggest how I achieve this. If you do not want the NULL values, use one of the following expressions: mvfilter(!isnull(<value>)) Search, Filter and Correlate. I have a search and SPATH command where I can't figure out how exclude stage {}. If X is a multi-value field, it returns the count of all values within the field. . | makeresults | eval test=split ("abc,defgh,a,asdfasdfasdfasdf,igasfasd", ",") | eval. This rex command creates 2 fields from 1. Defend against threats with advanced security analytics, machine learning and threat intelligence that focus detection and provide high-fidelity alerts to shorten triage times and raise true positive rates. David. Splunk Threat Research Team. 自己記述型データの定義. | gentimes start=1/1/17 end=10/1/18 increment=1d | rename starttime AS _time | stats sparkline (count, 2h) AS sparkline. Alternatively you could use an eval statement with the mvfilter function to return only multi value fields that contain your port. HI All, How to pass regular expression to the variable to match command? Please help. With the fieldformat command you can use an <eval-expression> to change the format of a field value when the results render. By Stephen Watts July 01, 2022. I need to add the value of a text box input to a multiselect input. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. index="jenkins_statistics" event_tag=job_event. Splunk Development. Then, the user count answer should be "1". Solved: Hi Splunk community, I have this query source=main | transaction user_id | chart count as Attempts,Splexicon:Bloomfilter - Splunk Documentation. eval txKV = mvfilter (match (kvPair, "tx_success")) | eval txCount = mvcount (txKV) | eval txTime = mvindex (txKV, txCount-1) |. This function will return NULL values of the field x as well. src_user is the. Filter values from a multivalue field. Check "Advanced options", scroll down to "Match type", enter CIDR (clientip), clientip being the. There is also could be one or multiple ip addresses. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. 0. The fillnull command replaces null values in all fields with a zero by default. Splunk Employee. i've also tried using the mvindex () command with success, however, as the order of the eventtype mv is never the same. 34. BrowseEdit file knownips. COVID-19 Response SplunkBase Developers Documentation. There are at least 1000 data. | eval field_C =if(isnotnull(mvfind(field_B,field_A)),field_A,null())Migrate Splunk detection rules to Microsoft Sentinel . If you ignore multivalue fields in your data, you may end up with missing. containers {} | mvexpand spec. You can use mvfilter to remove those values you do not. I am trying to use look behind to target anything before a comma after the first name and look ahead to. 02-15-2013 03:00 PM. JSON array must first be converted to multivalue before you can use mv-functions. Splunk Administration; Deployment Architecture1. This function takes single argument ( X ). In both templates are the. Splunk Data Fabric Search. . Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. And when the value has categories add the where to the query. Reply. you can 'remove' all ip addresses starting with a 10. as you can see, there are multiple indicatorName in a single event. As a result, it will create an MV field containing all the Exceptions like this: From here, you can just easily filter out the ones you don't like using the | where command: | where mvcount (exception_type) > 1 OR exception_type != "Default". containers{} | mvexpand spec. Click Local event log collection. Each event has a result which is classified as a success or failure. Numbers are sorted before letters. It works! mvfilter is useful, i didn´t know about it, and single quotes is what i needed. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and. | eval mv_Results=mvfilter (mv_B > A) However, this does NOT work. AD_Name_K. Description. Splunk Threat Research Team. The first template returns the flow information. Solution. 02-15-2013 03:00 PM. The mvcombine command creates a multivalue version of the field you specify, as well as a single value version of the field. Three things need to happen relating to "All" - if the selection is empty, put the default "All" in the form token; if "All" is added after another value, make the form token hold just "All"; and, if another value is added after "All", keep all values which aren't "All". However, I get all the events I am filtering for. Ex. don’t quote me, but I don’t think the REGEX data type in splunk can be replaced with a field value, hence the need to use a subsearch to pass an actual string there Note the value of search needs to be enclosed in " " , so you may need to do an eval before calling return to add the double quotesThe mvfilter command LOOKS similar to what I want, but in reverse (the mv variables are the regexes, of which any match is a reason to exit the search). Click the links below to see the other blog. Something like that:Using variables in mvfilter with match or how to get an mvdistinctcount(var) chris. View solution in. | spath input=spec path=spec. Usage of Splunk EVAL Function : MVCOUNT. Currently the data is kinda structured when I compare the _raw Event, when i compare it with the dig response. Splunk Cloud: Find the needle in your haystack of data. key1. If you reject optional cookies, only cookies necessary to provide you the services will be used. Please try to keep this discussion focused on the content covered in this documentation topic. 複数値フィールドを理解する. Verify whether your detections are available as built-in templates in Microsoft Sentinel: If the built-in rules are sufficient, use built-in rule templates to create rules for your own workspace. In regards to your other observation, 100 might be the visible display limit, but the other limit in eventstats is memory based (the default is 200MB per search using eventstats). 900. To monitor files and directories in Splunk Cloud Platform, you must use a universal or a heavy forwarder in nearly all cases. Then we could delete the original event, so that no unscrupulous users with access to our Splunk instance could harvest those plaintext passwords. Identify and migrate rules Usage of Splunk EVAL Function: MVINDEX : • This function takes two or three arguments ( X,Y,Z) • X will be a multi-value field, Y is the start index and Z is the end index. Splunk Development. W hether you are new to Splunk or just needing a refresh, this article can guide you to some of the best resources on the web for using Splunk. Splunk Enterprise loads the Add Data - Select Source page. You can use mvfilter to remove those values you do not want from your multi value field. ")) Hope this helps. Splunk and its executive officers and directors may be deemed to be participants in the solicitation of proxies from Splunk's stockholders with respect to the transaction. you could use a subsearch like: | makeresults | eval mymvfield ="a b c" | makemv mymvfield | eval excludes = mvfilter (NOT in (mymvfield, [| makeresults | eval. Dashboards & Visualizations. 0 Karma. This video shows you both commands in action. Remove mulitple values from a multivalue field. This Splunk search is an example on how to remove unwanted values from multivalue fields using mvfilter. X can take only one multivalue field at a time. len() command works fine to calculate size of JSON object field, but len() command doesn't work for array field. status!=SUCCESS doesn't work due to multiple nested JSON fields containing both SUCCESS and FAILURES. If you do not want the NULL values, use one of the following expressions: mvfilter. . Alerting. i tried with "IN function" , but it is returning me any values inside the function. I have logs that have a keyword "*CLP" repeated multiple times in each event. The current value also appears inside the filled portion of the gauge. g. JSON array must first be converted to multivalue before you can use mv-functions. Then I do lookup from the following csv file. M. The problem I am facing is this search is working fine with small size events but when it comes to large events with more CLP counts. I want to deal the multivalue field to get the counts whch is satisfied the conditions I set. This function takes matching “REGEX” and returns true or false or any given string.