https://community.splunk.com/t5/Splunk-Search/Compare-multivalues-from-different-rows/m-p/649254#M224508 <P>Work as intended, great thanks!</P> Wed, 05 Jul 2023 07:11:27 GMT farhad 2023-07-05T07:11:27Z https://community.splunk.com/t5/Splunk-Search/Compare-multivalues-from-different-rows/m-p/649123#M224479 <P>In my search i have 2 rows, column specifying the week and the other column a multi-value field of EventIDs. I need to compare one row multievalue field to another row multi value field. And Output the different event values from these 2 rows.</P><P>______________________________<BR /><BR />my search<BR />| stats values(EventID) by week<BR /><BR />Result:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%" height="25px"><STRONG>week</STRONG></TD><TD width="50%" height="25px"><STRONG>values(EventID)</STRONG></TD></TR><TR><TD width="50%" height="465px">This week</TD><TD width="50%" height="465px"><DIV class="">4624</DIV><DIV class="">4625</DIV><DIV class="">4627</DIV><DIV class="">4634</DIV><DIV class="">4647</DIV><DIV class="">4648</DIV><DIV class="">4656</DIV><DIV class="">4658</DIV><DIV class="">4661</DIV><DIV class="">4663</DIV><DIV class="">4664</DIV><DIV class="">4670</DIV><DIV class="">4672</DIV><DIV class="">4673</DIV><DIV class="">4674</DIV><DIV class="">4688</DIV><DIV class="">4689</DIV><DIV class="">4690</DIV><DIV class="">4692</DIV><DIV class="">4693</DIV><DIV class="">4698</DIV></TD></TR><TR><TD height="25px">Previous Week</TD><TD height="25px"><DIV class=""><DIV class="">4624</DIV><DIV class="">4625</DIV><DIV class="">4627</DIV><DIV class="">4634</DIV><DIV class="">4647</DIV><DIV class="">4648</DIV><DIV class="">4656</DIV><DIV class="">4658</DIV><DIV class="">4661</DIV><DIV class="">4663</DIV><DIV class="">4664</DIV><DIV class="">4670</DIV><DIV class="">4672</DIV><DIV class="">4673</DIV><DIV class="">4674</DIV><DIV class="">4688</DIV><DIV class="">4689</DIV><DIV class="">4690</DIV><DIV class="">4692</DIV><DIV class="">4693</DIV><DIV class="">4698</DIV><DIV class="">4702</DIV><DIV class="">4720</DIV><DIV class="">4722</DIV><DIV class="">4724</DIV><DIV class="">4725</DIV></DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Now i desire to compare "this week" event values with "previous week" event values and table values not seen in both weeks. Any suggestions is much appreciated, thanks!<BR /><BR /></P> Tue, 04 Jul 2023 13:42:56 GMT https://community.splunk.com/t5/Splunk-Search/Compare-multivalues-from-different-rows/m-p/649123#M224479 farhad 2023-07-04T13:42:56Z https://community.splunk.com/t5/Splunk-Search/Compare-multivalues-from-different-rows/m-p/649163#M224489 <P>You have to use transpose to get the values into the same event so you can compare them; can then transpose again to return them to different event (if that's what you require).</P><LI-CODE lang="markup">| transpose 0 header_field=week column_name=events | foreach mode=multivalue "Previous Week" [| eval missing=if(in(&lt;&lt;ITEM&gt;&gt;,'This week'),missing,mvappend(missing,&lt;&lt;ITEM&gt;&gt;))] | foreach mode=multivalue "This week" [| eval new=if(in(&lt;&lt;ITEM&gt;&gt;,'Previous Week'),new,mvappend(new,&lt;&lt;ITEM&gt;&gt;))] | transpose 0 header_field=events column_name=week</LI-CODE> Tue, 04 Jul 2023 15:10:34 GMT https://community.splunk.com/t5/Splunk-Search/Compare-multivalues-from-different-rows/m-p/649163#M224489 ITWhisperer 2023-07-04T15:10:34Z https://community.splunk.com/t5/Splunk-Search/Compare-multivalues-from-different-rows/m-p/649165#M224490 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/251818">@farhad</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">YOUR_SEARCH | stats values(week) as weeks by EventID | eval status = case(mvcount(weeks)==2,"Available In Both",weeks="This week","Available In This Week",weeks="Previous Week","Available In Previous Week") | stats values(EventID) as EventIDs by status</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="week EventID This week 4624,4625,4627,4634,4647,4648,4656,4658,4661,4663,4664,4670,4672,4673,4674,4688,4689,4690,4692,4693,4698,100,102,103 Previous Week 4624,4625,4627,4634,4647,4648,4656,4658,4661,4663,4664,4670,4672,4673,4674,4688,4689,4690,4692,4693,4698,4702,4720,4722,4724,4725 " | multikv forceheader=1 | eval EventID=split(EventID,",") | mvexpand EventID | table week EventID | rename comment as "Upto now is for sample data only" | stats values(week) as weeks by EventID | eval status = case(mvcount(weeks)==2,"Available In Both",weeks="This week","Available In This Week",weeks="Previous Week","Available In Previous Week") | stats values(EventID) as EventIDs by status</LI-CODE><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-07-04 at 8.58.03 PM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26120i3531DEFAEBE7993E/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2023-07-04 at 8.58.03 PM.png" alt="Screenshot 2023-07-04 at 8.58.03 PM.png" /></span></P><P>&nbsp;</P><P>I hope this will help you.</P><P>&nbsp;</P><P>Thanks<BR />KV<BR />If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Tue, 04 Jul 2023 15:28:53 GMT https://community.splunk.com/t5/Splunk-Search/Compare-multivalues-from-different-rows/m-p/649165#M224490 kamlesh_vaghela 2023-07-04T15:28:53Z https://community.splunk.com/t5/Splunk-Search/Compare-multivalues-from-different-rows/m-p/649254#M224508 <P>Work as intended, great thanks!</P> Wed, 05 Jul 2023 07:11:27 GMT https://community.splunk.com/t5/Splunk-Search/Compare-multivalues-from-different-rows/m-p/649254#M224508 farhad 2023-07-05T07:11:27Z