https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483685#M193348 <P>Hi @naliniasb:</P> <P>can ou try by <STRONG><EM>join</EM></STRONG> command:</P> <PRE><CODE>| makeresults | eval HRA="AAAA,BBBB,CCCC" | eval HRA=split(HRA,",") | mvexpand HRA | join type=left HRA [| makeresults | eval HRA="DDDD,BBBB,CCCC" | eval HRA=split(HRA,",") | mvexpand HRA | eval HRK=HRA | table HRA, HRK] | eval HRK=if(isnull(HRK),"yet to be applied",HRK) </CODE></PRE> Thu, 16 Jan 2020 10:40:06 GMT TISKAR 2020-01-16T10:40:06Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483684#M193347 <P>Have 2 DB connection and i want to compare the DB1 connection HRA field keeping as primary key say here in this example <BR /> it is HRA field with DB2 connection ex below field is HRK ,so that it compares with all the data values and if present it should give HRA field value else "yet to be applied"<BR /> Sample query to explain the scenario::<BR /> | makeresults <BR /> | eval HRA="AAAA,BBBB,CCCC" <BR /> | eval HRA=split(HRA,",") <BR /> | mvexpand HRA<BR /><BR /> |append [| makeresults |search<BR /> | eval HRK="DDDD,BBBB,CCCC" <BR /> | eval HRK=split(HRK,",") <BR /> | mvexpand HRK]<BR /> expected output of this will be as below:<BR /> HRA HRK _time<BR /> AAAA yet to be applied<BR /> BBBB BBBB<BR /> CCCC CCCC</P> Thu, 16 Jan 2020 06:50:07 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483684#M193347 naliniasb 2020-01-16T06:50:07Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483685#M193348 <P>Hi @naliniasb:</P> <P>can ou try by <STRONG><EM>join</EM></STRONG> command:</P> <PRE><CODE>| makeresults | eval HRA="AAAA,BBBB,CCCC" | eval HRA=split(HRA,",") | mvexpand HRA | join type=left HRA [| makeresults | eval HRA="DDDD,BBBB,CCCC" | eval HRA=split(HRA,",") | mvexpand HRA | eval HRK=HRA | table HRA, HRK] | eval HRK=if(isnull(HRK),"yet to be applied",HRK) </CODE></PRE> Thu, 16 Jan 2020 10:40:06 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483685#M193348 TISKAR 2020-01-16T10:40:06Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483686#M193349 <P>nope this is not going to work under join you have given same HRA which is not expected<BR /> i have 2 DB connection and my requirement is with one of primary key field i need to compare the other DB connection with field(all the values in that field) and say if present then keep same value if not set "yet to be applied"</P> Fri, 17 Jan 2020 12:36:34 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483686#M193349 naliniasb 2020-01-17T12:36:34Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483687#M193350 <P>Can anyone suggest on this</P> Mon, 20 Jan 2020 10:27:46 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483687#M193350 naliniasb 2020-01-20T10:27:46Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483688#M193351 <PRE><CODE>| makeresults | eval HRA="AAAA,BBBB,CCCC" | eval HRA=split(HRA,",") | mvexpand HRA |append [| makeresults |search | eval HRK="DDDD,BBBB,CCCC" | eval HRK=split(HRK,",") | mvexpand HRK] | appendpipe [ eval tmp=coalesce(HRA,HRK) | selfjoin tmp] | streamstats count | reverse | dedup HRA | sort count | table HRA HRK _time | fillnull value="yet to be applied" </CODE></PRE> <P>Hi, @naliniasb <BR /> I make the query from your sample. how about this?</P> Mon, 20 Jan 2020 12:41:21 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-SPL-on-an-scenario/m-p/483688#M193351 to4kawa 2020-01-20T12:41:21Z