topic Re: match values in same fields in Splunk Search

match values in same fields

perryd — Thu, 09 May 2019 13:36:08 GMT

Hi, i would match two field, exactly:
field1 - field2
1 - Empty
1 - Empty
1 - Empty
Empty - 2
Empty - 2

Empty - 2

It's possible sort the values in order to obtain this?:
field1 - field2
1 - 2
1 - 2
1 - 2

Re: match values in same fields

somesoni2 — Thu, 09 May 2019 14:42:20 GMT

Would need more information regarding what you wish to achieve here. From where did the current output is coming, as a result of a search or from raw data directly? Will there always be same number of rows for each field which has values?

Re: match values in same fields

perryd — Thu, 09 May 2019 15:32:19 GMT

So, my number of row its variable. My data its in a unique index. You can image one index with 3 fields:
FIELD1 - FIELD2 - FIELD3
Hostname1 - values - null()
Hostname2 - values - null()
Hostname3 - values - null()
Hostname4 - values - null()
.................... - ................ - ...........
HostnameN - values - null()
Hostname1 - null() - values

Hostname2 - null() - values

Hostname3 - null() - values

Hostname4 - null() - values

.................... - ................ - ...........

HostnameN - null() - values

What i wont is a match for values in field2 with values in field3. My key is Field 1. My search result should look like this:
FIELD1 - FIELD2 - FIELD3
Hostname1 - values - values

Hostname2 - values - values

Hostname3 - values - values

Hostname4 - values - values

.................... - ................ - ...............
Hostnamen - values - values

Re: match values in same fields

woodcock — Sat, 11 May 2019 18:29:11 GMT

Like this:

| makeresults 
| eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| table field*

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| streamstats count(field1) AS F1 count(field2) AS F2
| foreach F* [ eval <<FIELD>> = if(isnull(field<<MATCHSTR>>), null(), <<FIELD>>) ]
| eval _F=coalesce(F1, F2)
| fields - F*
| selfjoin _F

Re: match values in same fields

woodcock — Sat, 11 May 2019 18:31:30 GMT

My other answer answered the question that you actually asked, but given your clarification comment, what you actually need is this:

... | stats values(*) AS * BY FIELD1

Re: match values in same fields

perryd — Mon, 13 May 2019 06:58:04 GMT

the problem is that i've about 11000 row and i can't calculate " eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4"
there is some function that do it automatically?

Re: match values in same fields

woodcock — Mon, 13 May 2019 19:37:31 GMT

Did you even try my solution? It handles variable number/names of fields dynamically.

Re: match values in same fields

perryd — Mon, 13 May 2019 19:44:47 GMT

i don't know what put in the row "| eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4".
You say me that it is dynamic, but what i write? I've need to use two fields and 11000 row...
maybe i'm not understand, i'm sorry.

Re: match values in same fields

woodcock — Mon, 13 May 2019 22:28:09 GMT

Forget my other answer entirely. Take your existing search (everything up to the first pipe) and add this answer to the bottom of that. Done.