https://community.splunk.com/t5/Splunk-Search/Find-nearest-value-in-numeric-multivalue-field-to-other-numeric/m-p/673572#M230644 <P>Not sure if you still need this answered but figure I'd give it a shot in case anybody else has a similar problem they need to solve.<BR /><BR />I think something like this would do what you are looking for.</P><LI-CODE lang="markup">&lt;base_search&gt; ``` lookup historical values for each user (potentially mv field) ``` | lookup &lt;lookup_name&gt; user OUTPUT Amount_Hist ``` loop through Amount_Hist values and finding the diff of each compared to the users current value, then take the minimum value and assign it to it's own field "Amount_Hist_min_diff" ``` | eval Amount_Hist_min_diff=min( case( mvcount(Amount_Hist)==1, abs('Amount_Hist'-'Amount'), mvcount(Amount_Hist)&gt;1, mvmap(Amount_Hist, abs('Amount_Hist'-'Amount')) ) ), ``` loop back through historical values and only return the values whos diff is equal to the minimum diff value assigned previously ``` Closest_Amount_Hist_value=mvdedup( case( mvcount(Amount_Hist)==1, if(abs('Amount_Hist'-'Amount')=='Amount_Hist_min_diff', 'Amount_Hist', null()), mvcount(Amount_Hist)&gt;1, mvmap(Amount_Hist, if(abs('Amount_Hist'-'Amount')=='Amount_Hist_min_diff', 'Amount_Hist', null())) ) )</LI-CODE><P>&nbsp;You can see that the field "Closest_Amount_Hist_value" holds the value closest the the user's current value, this can potentially hold multiple values if they are are equidistant from the current value. As show below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_1-1704753142009.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28796iEB33F4DF512A9449/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_1-1704753142009.png" alt="dtburrows3_1-1704753142009.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 08 Jan 2024 22:32:59 GMT dtburrows3 2024-01-08T22:32:59Z https://community.splunk.com/t5/Splunk-Search/Find-nearest-value-in-numeric-multivalue-field-to-other-numeric/m-p/399163#M115731 <P>I have events with a numeric field "Amount" and a field "User". In a KV Store collection I keep the Amount history values for a each User (Amount_Hist). With a lookup I can get the Amount_Hist for a user in a numeric multivalue field.</P> <P>Given a new event for a user and the the value of Amount, I need to get the nearest value from the Amount_Hist (where Amount_Hist is a multivalue field and Amount a single value field).</P> <P>I cant use mvexpand to do it because Amount_Hist is very large and mvexpand produce exesive memory usage when is applied for multiple events.</P> <P>Thanks a lot for any sugerence.</P> Wed, 30 Sep 2020 00:45:30 GMT https://community.splunk.com/t5/Splunk-Search/Find-nearest-value-in-numeric-multivalue-field-to-other-numeric/m-p/399163#M115731 sematag 2020-09-30T00:45:30Z https://community.splunk.com/t5/Splunk-Search/Find-nearest-value-in-numeric-multivalue-field-to-other-numeric/m-p/673572#M230644 <P>Not sure if you still need this answered but figure I'd give it a shot in case anybody else has a similar problem they need to solve.<BR /><BR />I think something like this would do what you are looking for.</P><LI-CODE lang="markup">&lt;base_search&gt; ``` lookup historical values for each user (potentially mv field) ``` | lookup &lt;lookup_name&gt; user OUTPUT Amount_Hist ``` loop through Amount_Hist values and finding the diff of each compared to the users current value, then take the minimum value and assign it to it's own field "Amount_Hist_min_diff" ``` | eval Amount_Hist_min_diff=min( case( mvcount(Amount_Hist)==1, abs('Amount_Hist'-'Amount'), mvcount(Amount_Hist)&gt;1, mvmap(Amount_Hist, abs('Amount_Hist'-'Amount')) ) ), ``` loop back through historical values and only return the values whos diff is equal to the minimum diff value assigned previously ``` Closest_Amount_Hist_value=mvdedup( case( mvcount(Amount_Hist)==1, if(abs('Amount_Hist'-'Amount')=='Amount_Hist_min_diff', 'Amount_Hist', null()), mvcount(Amount_Hist)&gt;1, mvmap(Amount_Hist, if(abs('Amount_Hist'-'Amount')=='Amount_Hist_min_diff', 'Amount_Hist', null())) ) )</LI-CODE><P>&nbsp;You can see that the field "Closest_Amount_Hist_value" holds the value closest the the user's current value, this can potentially hold multiple values if they are are equidistant from the current value. As show below.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dtburrows3_1-1704753142009.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28796iEB33F4DF512A9449/image-size/medium?v=v2&amp;px=400" role="button" title="dtburrows3_1-1704753142009.png" alt="dtburrows3_1-1704753142009.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 08 Jan 2024 22:32:59 GMT https://community.splunk.com/t5/Splunk-Search/Find-nearest-value-in-numeric-multivalue-field-to-other-numeric/m-p/673572#M230644 dtburrows3 2024-01-08T22:32:59Z https://community.splunk.com/t5/Splunk-Search/Find-nearest-value-in-numeric-multivalue-field-to-other-numeric/m-p/673573#M230645 <P>An alternative which will just return a single 'closest' value using foreach is</P><LI-CODE lang="markup">your_search_and_lookup | eval diff=max(Amount_Hist) | foreach Amount_Hist mode=multivalue [ eval new_diff=min(diff, abs(Amount-&lt;&lt;ITEM&gt;&gt;)), closest=if(new_diff&lt;diff, &lt;&lt;ITEM&gt;&gt;, closest), diff=new_diff ] | fields - new_diff</LI-CODE><P>&nbsp;</P> Mon, 08 Jan 2024 23:15:03 GMT https://community.splunk.com/t5/Splunk-Search/Find-nearest-value-in-numeric-multivalue-field-to-other-numeric/m-p/673573#M230645 bowesmana 2024-01-08T23:15:03Z