topic Re: need difference from multivalue table column in Splunk Search

need difference from multivalue table column

secure — Thu, 20 Mar 2025 15:18:00 GMT

i have a list of hostnames being generated from left join for different application in multivalue table column

APP1

hostname1

hostnames2

appdelta

syzhost.domain1

abchost.domain1

egfhost.domain1

syzhost.domain1

abchost.domain1

what i need is a column with just egfhostdomain1 in a separete column just showing the diff of the list

Re: need difference from multivalue table column

ITWhisperer — Thu, 20 Mar 2025 15:48:31 GMT

| foreach hostname1 mode=multivalue [| eval diff=if(mvfind(hostnames2,<<ITEM>>)>=0,diff,mvappend(diff,<<ITEM>>))]

Re: need difference from multivalue table column

secure — Thu, 20 Mar 2025 16:20:32 GMT

@ITWhisperer

i tried the query not getting the output

| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time
| foreach hostname1 mode=multivalue
[| eval diff=if(mvfind(hostnames2,<<ITEM>>)>=0,diff,mvappend(diff,<<ITEM>>))]
| table APP1,hostname1,hostname2,diff

what i need in the diff column is egfhost.domain1

Re: need difference from multivalue table column

secure — Thu, 20 Mar 2025 16:56:07 GMT

This worked for me
| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time
| eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1)))
| table APP1,hostname1,hostname2,match

Re: need difference from multivalue table column

livehybrid — Thu, 20 Mar 2025 17:24:26 GMT

Hi @secure

Might not be perfect, but does this work?

| makeresults | eval APP1="appdelta", list1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),list2=mvappend("syzhost.domain1","abchost.domain1") | fields - _time |stats values(list2) as list2 by list1 | foreach list2 mode=multivalue [|eval notInList=IF(<<ITEM>>==list1,<<ITEM>>,null())] | stats values(notInList)

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: need difference from multivalue table column

secure — Thu, 20 Mar 2025 17:30:29 GMT

@livehybrid

tried your solution its not working

i was able to resolve this using

| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time
| eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1)))
| table APP1,hostname1,hostname2,match

but now i have a additional issue for some hostnames is "no hosts" in that case also its just giving me 1 hostname

| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=("")
| fields - _time
| eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1)))
| table APP1,hostname1,hostname2,match

which is not right

Re: need difference from multivalue table column

ITWhisperer — Thu, 20 Mar 2025 17:57:53 GMT

Your original post used hostnames2 which I used in my suggestion. In your second post, you used hostname2 which is not the same field. Please retry with the correct field names.

Re: need difference from multivalue table column

livehybrid — Thu, 20 Mar 2025 19:10:11 GMT

Hi @secure

I noticed another reply on your other question similar to this pointed towards using "MVDiff Add-on For Splunk" which might help avoid some complex SPL searches.

Shamelessly pinching @VatsalJagani image from the last reply

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will