https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549852#M156052 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>,</P><P>This won't work for 2 reasons. First, it will only list out the started jobs again, i.e.&nbsp;<BR /><BR />Job A<BR />Job B<BR />Job C</P><P>Secondly, as I said, JOB_STATUS is a multi-value field thus, it also contains some other unnecessary values. Which causes JOB_STATUS!=stopped to list again ONLY the started jobs and also job events for the other status values.</P> Thu, 29 Apr 2021 14:30:59 GMT parthmadane 2021-04-29T14:30:59Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549848#M156049 <P>Hello all,&nbsp;</P><P>I have been struggling for a while now to create a query for comparing the events using two different values of a multi-value field.&nbsp;</P><P>For starter -</P><P>We have certain jobs running for which their status is to be monitored. Below is an example of query/data -</P><P>Query - source=src_name sourcetype=application Job_Name=*&nbsp; JOB_STATUS=started</P><P>Output -</P><P>Job A&nbsp; &nbsp; &nbsp;</P><P>Job B</P><P>Job C</P><P>Query - source=src_name sourcetype=application Job_Name=*&nbsp; JOB_STATUS=stopped</P><P>Output -</P><P>Job A</P><P>Job C</P><P>JOB_STATUS is the multi-value field that gives the respective Job's status after it starts running i.e. "Started." If the Job run is successful then it will be stopped, thus, there will be an event for that JOB with status as "Stopped".</P><P>Else, the Job will remain in started state and so, there'll only be a "Started" event present for that JOB.</P><P>What I need help with?</P><P>I need a query that can compare and give the list of those Jobs that are only started and not stopped yet.</P><P>Example Query -&nbsp;</P><P>source=src_name sourcetype=application {-- query Return jobs that are only in started and not stopped yet --}</P><DIV><DIV>Required Output -</DIV><DIV>Job B</DIV><DIV>&nbsp;</DIV></DIV><P>Please help out!</P> Thu, 29 Apr 2021 14:06:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549848#M156049 parthmadane 2021-04-29T14:06:15Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549851#M156051 <P>&nbsp;</P><LI-CODE lang="markup">source=src_name sourcetype=application JOB_STATUS=started JOB_STATUS!=stopped</LI-CODE><P>&nbsp;</P> Thu, 29 Apr 2021 14:24:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549851#M156051 ITWhisperer 2021-04-29T14:24:12Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549852#M156052 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>,</P><P>This won't work for 2 reasons. First, it will only list out the started jobs again, i.e.&nbsp;<BR /><BR />Job A<BR />Job B<BR />Job C</P><P>Secondly, as I said, JOB_STATUS is a multi-value field thus, it also contains some other unnecessary values. Which causes JOB_STATUS!=stopped to list again ONLY the started jobs and also job events for the other status values.</P> Thu, 29 Apr 2021 14:30:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549852#M156052 parthmadane 2021-04-29T14:30:59Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549853#M156053 <P>Here is a run-anywhere example with additional status values in the multi-value field showing that only job B is returned</P><LI-CODE lang="markup">| makeresults | eval event="A,started;running;other unnecessary value;stopped:B,started;running;other unnecessary value:C,started;running;other unnecessary value;stopped" | eval event=split(event,":") | mvexpand event | eval job=mvindex(split(event,","),0) | eval status=split(mvindex(split(event,","),1),";") | fields job status | fields - _time | search status!=stopped status=started</LI-CODE> Thu, 29 Apr 2021 14:36:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549853#M156053 ITWhisperer 2021-04-29T14:36:54Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549992#M156075 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,</P><P>I think the information provided by me earlier, was a bit ambiguous. Basically, there is one event each generated w.r.t the JOB. For e.g. when it starts, then runs, some other values, stops. When the events are of such nature, the given solution does not work.</P><P>I have made some changes to your sample events to better replicate mine.</P><P>| makeresults<BR />| eval event="A,started:A,running:A,other unnecessary value:A,stopped:B,started:B,running:B,other unnecessary value:C,started:C,running:C,other unnecessary value:C,stopped"<BR />| eval event=split(event,":")<BR />| mvexpand event<BR />| eval job=mvindex(split(event,","),0)<BR />| eval status=split(mvindex(split(event,","),1),";")<BR />| fields job status<BR />| fields - _time<BR />| search status!=stopped status=started</P><P>You will notice that both the&nbsp;status!=stopped status=started and&nbsp;status=started are returning the same result in this (my) scenario.</P><P>Is there any way to compare the events and only return those jobs that are only in started and have not stopped yet. Your help in this regard is appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 30 Apr 2021 12:20:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549992#M156075 parthmadane 2021-04-30T12:20:24Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549994#M156077 <P>You can gather the information on the job together so the status is a multi-value field, then the search will work</P><LI-CODE lang="markup">| makeresults | eval event="A,started:A,running:A,other unnecessary value:A,stopped:B,started:B,running:B,other unnecessary value:C,started:C,running:C,other unnecessary value:C,stopped" | eval event=split(event,":") | mvexpand event | eval job=mvindex(split(event,","),0) | eval status=split(mvindex(split(event,","),1),";") | fields job status | fields - _time | stats values(status) as status by job | search status!=stopped status=started</LI-CODE> Fri, 30 Apr 2021 12:26:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549994#M156077 ITWhisperer 2021-04-30T12:26:47Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549996#M156079 <P>If you want to keep all the original data, use eventstats instead</P><LI-CODE lang="markup">| makeresults | eval event="A,started:A,running:A,other unnecessary value:A,stopped:B,started:B,running:B,other unnecessary value:C,started:C,running:C,other unnecessary value:C,stopped" | eval event=split(event,":") | mvexpand event | eval job=mvindex(split(event,","),0) | eval status=split(mvindex(split(event,","),1),";") | fields job status | fields - _time | eventstats values(status) as allstatus by job | search allstatus!=stopped allstatus=started</LI-CODE> Fri, 30 Apr 2021 12:29:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-events-using-two-values-of-a-multi-value-field/m-p/549996#M156079 ITWhisperer 2021-04-30T12:29:10Z