topic Re: Splunk query to compare a particular field values in Splunk Enterprise

Splunk query to compare a particular field values

harshi — Wed, 27 Sep 2023 08:27:55 GMT

Hi ,

I am trying to write a query which compare all field values for a particular field and fetch the results if its not same accordingly with its details. Below is my input :

FieldA FieldB

host1 26

host2 29

host3 29

I want to compare all field values from fieldB , and if its not same then i want to fetch that count with its fieldA value.

eg : here 26 is not equal to other 2 field values , then fieldB value with fieldA values has to be displayed.

I tried with if condition

Also with below query:

|stats dc(metric_value) as count | eval value=if(count>1,"0","1")

But with above 2 , i m not able pull its host name where that value is not same.

Note: fieldB is dynamic

Help me with this !!

Re: Splunk query to compare a particular field values

bowesmana — Wed, 27 Sep 2023 08:54:35 GMT

If host1's 26 is not equal to the 29 values of host2 and host3, then what logic do you apply to host2, as its 29 is not equal to the value of host1's 26.

So effectively none of them are equal to all of the others - how do you know which one is the master value to compare against?

Re: Splunk query to compare a particular field values

bowesmana — Wed, 27 Sep 2023 09:06:04 GMT

If you are looking to find what values are not the maximum you could do this example

| makeresults | eval _raw="FieldA FieldB host1 26 host2 29 host3 29" | multikv forceheader=1 | table FieldA FieldB | eventstats dc(FieldB) as counts min(FieldB) as minFieldB max(FieldB) as maxFieldB | eval result=if(counts>1 AND FieldB<maxFieldB, FieldA, null()) | stats list(eval(if(isnotnull(result), FieldA, null()))) as Hosts list(eval(if(isnotnull(result), FieldB, null()))) as Values

to get a list of the hosts and their values that are not the maximum

Re: Splunk query to compare a particular field values

harshi — Wed, 27 Sep 2023 11:04:13 GMT

There is no master , whatever the values which are present that should be same and not different.

Re: Splunk query to compare a particular field values

bowesmana — Wed, 27 Sep 2023 22:01:23 GMT

What do you expect from 26,26,29 or 26,28,29?

Are there always only 3 numbers?

Re: Splunk query to compare a particular field values

harshi — Thu, 28 Sep 2023 06:03:00 GMT

26,26,29 : 3 numbers are not equal , so return results with 3rd number which is nor equal to other 2 .

26,28,29: again 3 number are not equal , so return results with all 3

yes , it is always 3 number itself