Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare a field with latest two events?

vrmandadi
Builder
‎08-09-2022 06:12 PM

Hello SPLUNKERS,

I have a field called GPU which has values GPU0,GPU1,GPU2,GPU3. etc ..Some might have 7 values some might have 4 and some might have 3 for each host... I  want to compare   the current GPU and with the previous event for that host and if there is a difference I want to show what is the difference  and if its same then show no difference .For example 

Current Event : GPU0,GPU1,GPU2,GPU3,GPU4,GPU5,GPU6,GPU7

Previous Event : GPU0,GPU2,GPU6,GPU7

 

Thanks in Advance

I want to output the difference :GPU1,GPU3,GPU4,GPU5 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-09-2022 08:45 PM

See this search example that uses your example to show differences.

It created multivalue fields for the GPU values and then uses a pair of MVMAP statements to stitch together new entries in the second event as well as entries no longer in second event

| makeresults
``` Make 2 events containing different GPUs ```
| eval event_1="GPU0,GPU2,GPU6,GPU7"
| eval event_2="GPU0,GPU1,GPU2,GPU3,GPU4,GPU5,GPU6,GPU7"
| eval gpus_1=split(event_1, ",")
| eval gpus_2=split(event_2, ",")
``` Calculate differences - only new additions in this example ```
| eval differences_1_vs_2=mvappend(mvmap(gpus_2, if(isnull(mvfind(gpus_1, gpus_2)), gpus_2, null())), mvmap(gpus_1, if(isnull(mvfind(gpus_2, gpus_1)), gpus_1, null())))
``` Now let's try reductions and addition in same event ```
| eval event_3="GPU1,GPU7,GPU8"
| eval gpus_3=split(event_3, ",")
| eval differences_2_vs_3=mvappend(mvmap(gpus_3, if(isnull(mvfind(gpus_2, gpus_3)), gpus_3, null())), mvmap(gpus_2, if(isnull(mvfind(gpus_3, gpus_2)), gpus_2, null())))
``` Now no changes ```
| eval event_4="GPU1,GPU7,GPU8"
| eval gpus_4=split(event_4, ",")
| eval differences_3_vs_4=mvappend(mvmap(gpus_3, if(isnull(mvfind(gpus_4, gpus_3)), gpus_3, null())), mvmap(gpus_4, if(isnull(mvfind(gpus_3, gpus_4)), gpus_4, null())))
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...