https://community.splunk.com/t5/Splunk-Search/Pair-wise-Comparison-Across-Values-of-Different-Fields/m-p/310065#M163532 <P>Splunk newbie here. What I'm trying to do is a pair-wise comparison across all of the values of two different fields, in order to find certain similarities. I already have an initial search which finds the events and values for these two fields, let's call them "foo" and "bar", but the pair-wise comparison aspect is eluding me so far.</P> <P>Some more info:</P> <UL> <LI>Both "foo" and "bar" are regular/non-multi value fields</LI> <LI>"Foo" and "bar" are mutually exclusive - an event can have one or the other, but not both</LI> <LI>"Foo" and "bar" both contain string values</LI> </UL> <P>More precisely, what I need to go is generate all of the combinations between the values of these two fields, so that I can do the comparison across them. For instance, if "foo" has values of "A" and "B", and "bar" has values of "C" and "D", I would need to compare "A" and "C", "A" and "D", "B" and "C", etc.</P> <P>So theoretically my search would look something like:</P> <P><CODE>initial_search|pairwise_comparison_stuff|where foo LIKE bar</CODE></P> <P>I feel like this should be possible using <CODE>streamstats</CODE> or something of the like, but any help would be appreciated!</P> Wed, 17 Jan 2018 21:38:34 GMT ikiril01 2018-01-17T21:38:34Z https://community.splunk.com/t5/Splunk-Search/Pair-wise-Comparison-Across-Values-of-Different-Fields/m-p/310065#M163532 <P>Splunk newbie here. What I'm trying to do is a pair-wise comparison across all of the values of two different fields, in order to find certain similarities. I already have an initial search which finds the events and values for these two fields, let's call them "foo" and "bar", but the pair-wise comparison aspect is eluding me so far.</P> <P>Some more info:</P> <UL> <LI>Both "foo" and "bar" are regular/non-multi value fields</LI> <LI>"Foo" and "bar" are mutually exclusive - an event can have one or the other, but not both</LI> <LI>"Foo" and "bar" both contain string values</LI> </UL> <P>More precisely, what I need to go is generate all of the combinations between the values of these two fields, so that I can do the comparison across them. For instance, if "foo" has values of "A" and "B", and "bar" has values of "C" and "D", I would need to compare "A" and "C", "A" and "D", "B" and "C", etc.</P> <P>So theoretically my search would look something like:</P> <P><CODE>initial_search|pairwise_comparison_stuff|where foo LIKE bar</CODE></P> <P>I feel like this should be possible using <CODE>streamstats</CODE> or something of the like, but any help would be appreciated!</P> Wed, 17 Jan 2018 21:38:34 GMT https://community.splunk.com/t5/Splunk-Search/Pair-wise-Comparison-Across-Values-of-Different-Fields/m-p/310065#M163532 ikiril01 2018-01-17T21:38:34Z https://community.splunk.com/t5/Splunk-Search/Pair-wise-Comparison-Across-Values-of-Different-Fields/m-p/310066#M163533 <P>Update: I was able to generate my pair-wise comparison and get things working through <CODE>map</CODE>. However, I did find some weirdness in how <CODE>map</CODE>'s <CODE>search</CODE> parameter handles <CODE>rex</CODE> expressions, which took quite a bit of debugging and testing to resolve. I'll probably submit a separate question/issue for that.</P> Mon, 22 Jan 2018 18:12:19 GMT https://community.splunk.com/t5/Splunk-Search/Pair-wise-Comparison-Across-Values-of-Different-Fields/m-p/310066#M163533 ikiril01 2018-01-22T18:12:19Z