https://community.splunk.com/t5/Splunk-Search/How-to-compare-multivalue-fields-Union-intersection-membership/m-p/653483#M225824 <P>To answer this, I've prepared a makeresults with examples of many of these mvfield comparisons.<BR />Hopefully someone finds these useful!<BR /><BR />If you came searching for a different usecase, plase leave a comment with the keywords that would have helped you find this post so others will have an easier time</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval f1="a", f2=split("a,b,c,d", ",") | append [| makeresults | eval f1="a", f2=split("b,c,d",",")] | append [| makeresults | eval f1=split("a,b", ","), f2=split("a,b",",")] | append [| makeresults | eval f1=split("b,a", ","), f2=split("a,b",",")] | append [| makeresults | eval f1=split("a,b", ","), f2=split("a,b,c,d",",")] | append [| makeresults | eval f1=split("c,a", ","), f2=split("a,b,c,d",",")] | append [| makeresults | eval f1=split("a,b", ","), f2=split("b,c,d",",")] | append [| makeresults | eval f1=split("a,b", ","), f2=split("c,d",",")] | fields - _time | eval intersection=mvmap(f1, if(f1=f2, f1, null())) | eval f1_not_f2=mvmap(f1, if(f1==f2, null(), f1)) | eval f2_not_f1=mvmap(f2, if(f2==f1, null(), f2)) | eval union = mvsort(mvdedup(mvappend(f1, f2))) | eval equality = if(f1=f2, 1, 0) | eval equivalence = if(mvmap(f1, if(f1==f2, 0, f1)) == mvmap(f2, if(f2==f1, 0, f2)), 1, 0) | eval any_f1_in_f2 = if(mvcount(intersection)&gt;0, 1, 0) | eval all_f1_in_f2 = if(mvmap(f1, if(f1==intersection, 0, f1)) == mvmap(intersection, if(intersection==f1, 0, intersection)), 1, 0) | table f1, f2, f1_not_f2, intersection, f2_not_f1, union, equality, equivalence, all_f1_in_f2, any_f1_in_f2</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Aug 2023 00:40:24 GMT emottola 2023-08-08T00:40:24Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-multivalue-fields-Union-intersection-membership/m-p/653482#M225823 <P>When comparing multivalue fields, there are a number of relationships one might be interested in.</P><P>Equality is easy to check, but what about more complex relationships?&nbsp;<BR />Are any members of f1 in f2?<BR />What fields do f1 and f2 have in common(intersection)?<BR />What fields are unique to f1?</P> Mon, 07 Aug 2023 23:58:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-multivalue-fields-Union-intersection-membership/m-p/653482#M225823 emottola 2023-08-07T23:58:24Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-multivalue-fields-Union-intersection-membership/m-p/653483#M225824 <P>To answer this, I've prepared a makeresults with examples of many of these mvfield comparisons.<BR />Hopefully someone finds these useful!<BR /><BR />If you came searching for a different usecase, plase leave a comment with the keywords that would have helped you find this post so others will have an easier time</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval f1="a", f2=split("a,b,c,d", ",") | append [| makeresults | eval f1="a", f2=split("b,c,d",",")] | append [| makeresults | eval f1=split("a,b", ","), f2=split("a,b",",")] | append [| makeresults | eval f1=split("b,a", ","), f2=split("a,b",",")] | append [| makeresults | eval f1=split("a,b", ","), f2=split("a,b,c,d",",")] | append [| makeresults | eval f1=split("c,a", ","), f2=split("a,b,c,d",",")] | append [| makeresults | eval f1=split("a,b", ","), f2=split("b,c,d",",")] | append [| makeresults | eval f1=split("a,b", ","), f2=split("c,d",",")] | fields - _time | eval intersection=mvmap(f1, if(f1=f2, f1, null())) | eval f1_not_f2=mvmap(f1, if(f1==f2, null(), f1)) | eval f2_not_f1=mvmap(f2, if(f2==f1, null(), f2)) | eval union = mvsort(mvdedup(mvappend(f1, f2))) | eval equality = if(f1=f2, 1, 0) | eval equivalence = if(mvmap(f1, if(f1==f2, 0, f1)) == mvmap(f2, if(f2==f1, 0, f2)), 1, 0) | eval any_f1_in_f2 = if(mvcount(intersection)&gt;0, 1, 0) | eval all_f1_in_f2 = if(mvmap(f1, if(f1==intersection, 0, f1)) == mvmap(intersection, if(intersection==f1, 0, intersection)), 1, 0) | table f1, f2, f1_not_f2, intersection, f2_not_f1, union, equality, equivalence, all_f1_in_f2, any_f1_in_f2</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Aug 2023 00:40:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-multivalue-fields-Union-intersection-membership/m-p/653483#M225824 emottola 2023-08-08T00:40:24Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-multivalue-fields-Union-intersection-membership/m-p/653484#M225825 <P>mvmap is your friend here. See this example which creates 2 random MV fields and then does the comparisons</P><LI-CODE lang="markup">| makeresults | fields - _time | eval f1=mvrange(0,10,(random() % 3 + 1)) | eval f2=mvrange(5,20,(random() % 4 + 1)) | eval f1_exists_in_f2=max(f1_exists_in_f2, mvmap(f1, if(isnotnull(mvfind(f2, f1)), 1, 0))) | eval f1_values_in_f2=mvmap(f1, if(f1=f2, f1, null())) | eval f1_values_not_in_f2=mvmap(f1, if(f1!=f2, f1, null())) | table f1 f2 f1_exists* f1_values*</LI-CODE> Tue, 08 Aug 2023 00:10:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-multivalue-fields-Union-intersection-membership/m-p/653484#M225825 bowesmana 2023-08-08T00:10:34Z