topic Re: Get top combination from a multi value field in Splunk Search

Get top combination from a multi value field

Shashank_87 — Wed, 22 Aug 2018 11:24:50 GMT

Hi, I have a multi value field who has data something like below which has been extracted from some web service.
I am looking to find the combination which occurs maximum time -
Event 1 Combo 1 -
A
B
C
D
Event 2 Combo 2 -
B
C
D
F
Event 3 Combo 3 -
G
B
Q
R
There could be different combinations. I want to compare these combinations and get the one which occurs in maximum events.

Re: Get top combination from a multi value field

niketn — Wed, 22 Aug 2018 12:04:11 GMT

@Shashank_87 so what do you mean by maximum occurrence of a combination? In the above example what would the desired output be? Also are these Single events multi-valued fields? Finally what is the query you have tried so far and what is the output you got?

Re: Get top combination from a multi value field

Shashank_87 — Wed, 22 Aug 2018 12:42:49 GMT

Ok For example below are the 2 events with multiple values -
Combination 1 -
Line Rental
Player TV (M)
Talk Weekends (Corona)
Set Top Box 500Gb
100 Optical Fibre (Unlimited) (XL100 UL)
Value Migration Q1

Combination 2 -
Essential Collection TV L,. TiVo ??5
Fun TV (L)
Line Rental
New Bundle 12 Mont
(Unlimited data) (L70)
Talk Evenings and Weekends
Set Top Box 500Gb
Voicemail Free

Like this I have extracted and created a table with combinations. Now some of these combinations could be same. So i want to find out those combinations

Re: Get top combination from a multi value field

somesoni2 — Wed, 22 Aug 2018 16:22:29 GMT

By same do you mean whole set (e.g. ABCD in your first example data) matching, with order?

Re: Get top combination from a multi value field

nadlurinadluri — Fri, 24 Aug 2018 22:19:33 GMT

If you have the multivalue fields with values ABCD, BCDF,ABCD,BCDF,JKLM...
You want to get ABCD and BCDF as the output?

Re: Get top combination from a multi value field

kamlesh_vaghela — Tue, 28 Aug 2018 16:43:36 GMT

@Shashank_87

Can you please try the following search? Note: Here, I have assumed the Event field contains the combinations.

YOUR_SEARCH 
| eval Event=mvsort(Event)
| eval Event=mvjoin(Event,",") 
| top Event
| eval Event=split(Event,",")

My Sample Search:

| makeresults 
| eval Event="A,B,C,D|B,C,D,E|A,B,C,D|B,C,D,E|X,Y,Z|B,A,C,D" 
| eval Event=split(Event,"|") 
| mvexpand Event 
| eval Event=split(Event,",") 
| table Event 
| eval Event=mvsort(Event)
| eval Event=mvjoin(Event,",") 
| top Event
| eval Event=split(Event,",")

Here I have managed multivalue with the different order. If you don't want it then remove | eval Event=mvsort(Event) from search.

Thanks