https://community.splunk.com/t5/Splunk-Search/compare-two-fields-in-json-data-and-display-data-in-the-third/m-p/543790#M154041 <P class="lia-align-left">Hi all,</P><P>I have only started working on splunk recently and i am stuck at one query. So, I have JSON data like below:</P><P>&nbsp;</P><LI-CODE lang="markup">catDevices: [ { model: A1_1234 Name: ZASNJHCDNA } { model: A1_5678 Name: JNDIHUEDHNJ }] Devices : [ JNDIHUEDHNJ NVBBVUYVBHI ]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I want to compare "Devices" with caDevices{}.Name and if it matches i want to display Devices and model list.</P><P>I tried this query</P><P>&nbsp;</P><LI-CODE lang="markup">index=main sourcetype=device |rename Devices{} as success | mvexpand success |dedup success |rename catDevices{}. model as Model ,rename catDevices{}.Name as device_name |eval zip = mvzip(Model, device_name) |fields - _raw |mvexpand zip | rex field = zip "(?&lt;MODEL&gt;.*),(?&lt;DEVICE&gt;.*)" | fields - zip | eval Status = if(match(MODEL,"A1*"), if(success == DEVICE, success, "NO MATCH"), "NO MATCH") | table success, MODEL, Status | where Status != "NO MATCH" | stats count(success) </LI-CODE><P>&nbsp;</P><P>It worked but as the data increases , due to mvexpand threshold the result is not accurate. Can you please tell me how i can correct my query or if you can provide a different solution for my question, any help would be appreciated. thanks in advance.</P><P>&nbsp;</P> Wed, 17 Mar 2021 12:20:10 GMT nikitha15 2021-03-17T12:20:10Z https://community.splunk.com/t5/Splunk-Search/compare-two-fields-in-json-data-and-display-data-in-the-third/m-p/543790#M154041 <P class="lia-align-left">Hi all,</P><P>I have only started working on splunk recently and i am stuck at one query. So, I have JSON data like below:</P><P>&nbsp;</P><LI-CODE lang="markup">catDevices: [ { model: A1_1234 Name: ZASNJHCDNA } { model: A1_5678 Name: JNDIHUEDHNJ }] Devices : [ JNDIHUEDHNJ NVBBVUYVBHI ]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I want to compare "Devices" with caDevices{}.Name and if it matches i want to display Devices and model list.</P><P>I tried this query</P><P>&nbsp;</P><LI-CODE lang="markup">index=main sourcetype=device |rename Devices{} as success | mvexpand success |dedup success |rename catDevices{}. model as Model ,rename catDevices{}.Name as device_name |eval zip = mvzip(Model, device_name) |fields - _raw |mvexpand zip | rex field = zip "(?&lt;MODEL&gt;.*),(?&lt;DEVICE&gt;.*)" | fields - zip | eval Status = if(match(MODEL,"A1*"), if(success == DEVICE, success, "NO MATCH"), "NO MATCH") | table success, MODEL, Status | where Status != "NO MATCH" | stats count(success) </LI-CODE><P>&nbsp;</P><P>It worked but as the data increases , due to mvexpand threshold the result is not accurate. Can you please tell me how i can correct my query or if you can provide a different solution for my question, any help would be appreciated. thanks in advance.</P><P>&nbsp;</P> Wed, 17 Mar 2021 12:20:10 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-fields-in-json-data-and-display-data-in-the-third/m-p/543790#M154041 nikitha15 2021-03-17T12:20:10Z https://community.splunk.com/t5/Splunk-Search/compare-two-fields-in-json-data-and-display-data-in-the-third/m-p/543851#M154056 <P>There appear to be a couple of typos(?) in your query (order of fields in mvzip don't match rex extraction, table field name should be success not suc, device is not listed in table so count should possibly be MODEL), but aside from this, if the issue is to do with mvexpand limitations, have a look at this solution to see if it helps&nbsp;<A href="https://community.splunk.com/t5/Splunk-Enterprise/Alternatives-to-using-MVExpand-running-into-limitations/m-p/541523#M5051" target="_self">https://community.splunk.com/t5/Splunk-Enterprise/Alternatives-to-using-MVExpand-running-into-limitations/m-p/541523#M5051</A>&nbsp;</P> Mon, 15 Mar 2021 12:33:28 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-fields-in-json-data-and-display-data-in-the-third/m-p/543851#M154056 ITWhisperer 2021-03-15T12:33:28Z