Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to find common and distinct data from two datasets?

maverick27
Explorer
‎01-31-2024 10:26 PM

Hi @ITWhisperer ,

I have two datasets from two search queries. I need to fetch the common as well as distinct values from both the datasets in the final result. 

Something like this:

Field1Field2Result
121
342
563
784
9105
10 6
  7
  8
  9
  10

 

Can you please help with the query?

0 Karma
Reply

maverick27
Explorer
‎02-01-2024 04:32 AM

May be I wasn't clear with my requirement. Apologies guys!

Let me give you an example as to what I'm trying to do. 

1st search contains the following data:

Field1DEPTUID
1AccountsAA
3HRCC
5OpsEE
7TechGG
9OpsII
10TechJJ
11HRKK

 

2nd search contains the following data:

Field2REGION
2NA
4TY
6HK
8AS
10EU
11AS

 

Now, I need to get common as well as disctinct rows from both the tables as shown below:

ResultDEPTUIDREGION
1AccountsAA 
2  NA
3HRCC 
4  TY
5OpsEE 
6  HK
7TechGG 
8  AS
9OpsII 
10TechJJEU
11HRKKAS
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-01-2024 05:50 AM 
(search1) OR (search2)
| stats values(*) as * by Field1

If they are bigger complex searches, you'd need to use append instead of simple OR for conditions but then you have to watch for limits for subsearches.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-01-2024 05:42 AM

hi @maverick27 ,

you have to expend my search:

index=index1 OR index=index2
| eval Result=coalesce(field1, field2)
| table Result DEPT UID REGION

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-01-2024 05:44 AM

More like this

index=index1 OR index=index2
| eval Result=coalesce(field1, field2)
| stats values(*) as * by Result
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-01-2024 01:44 AM

It looks like @gcusello has provided a good answer - It is probably best not to call out individuals when first posing a question; we are all volunteers here and you don't know when the requested volunteer is going to be available, and others may feel that they shouldn't answer when the question is directed to particular volunteers (do you not value others' contributions?)

Reply

maverick27
Explorer
‎02-01-2024 01:56 AM

Totally agree. I value everyone's contribution and restricting my question only to a certain individual will only delay or prolong the process. Apologies for that. This won't be repeated. Let me try @gcusello's solution and get back! Thanks guys!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 11:11 PM

And you have those results in multivalued fields? In separate result rows?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-31-2024 10:57 PM

Hi @maverick27 ,

you could use eval coalesce, something like this:

index=index1 OR index=index2
| eval new_field=coalesce(field1, field2)
| table new_field

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...