Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count equal and different elements between two fields (crossvalidation)

andres91302
Communicator
‎03-18-2021 06:39 AM

Hello everyone I hope you are all well and safe!

My data= Two fields that contain IDS from clientes of a tea shop, fields= ID_SUGGAR, ID_DOUBLE 

What I want to know: I want to be able to identify with a function what IDS are in BOTH ID_SUGGAR AND ID_DOUBLE , and also what IDS are only exclusive or only present in ID_SUGGAR (Which means these IDS are not in ID_DOUBLE)

Thank you to anyone who can link some documentation about it I Love you all 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-20-2021 10:42 PM

Hi @andres91302,

I was assuming the values are in separate events. Below should work based on your sample;

| makemv delim="," ID_SUGGAR 
| makemv delim="," ID_DOUBLE
| eval IDS=mvmap(ID_SUGGAR,if(isnull(mvfind(ID_DOUBLE,ID_SUGGAR)),ID_SUGGAR,null()))

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-20-2021 10:42 PM

Hi @andres91302,

I was assuming the values are in separate events. Below should work based on your sample;

| makemv delim="," ID_SUGGAR 
| makemv delim="," ID_DOUBLE
| eval IDS=mvmap(ID_SUGGAR,if(isnull(mvfind(ID_DOUBLE,ID_SUGGAR)),ID_SUGGAR,null()))

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

andres91302
Communicator
‎03-21-2021 08:02 AM

@scelikok  this was AWESOME 10/10 thank you so so so much I have also being search your replies for others post and man... you have helped a lot for this is such a great help and I want to praise your job!!!! thank so so so so so so much

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎03-19-2021 12:48 PM

If you can post a sample data, I can find why it didn't work

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

andres91302
Communicator
‎03-20-2021 01:38 PM

hELLO  sir


thank you so much for tryign to help I am very grateful for that.

Lets make up the following  data.

ID_SUGGAR="5,1,45,78,100,200,300"
ID_DOUBLE="5,1,45,78"
My goal is to have a table or a fild that will tell me, the IDS that are in ID_SUGGAR and NOT in ID_DOUBLE are = 100,200,300

Thank you so much @scelikok  for your kind help Im sending you  hug from a distance! have a great weekend stat safe and thank you so much
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎03-18-2021 12:13 PM

Hi @andres91302,

Please try below;

| eval ID=mvzip(ID_SUGGAR,ID_DOUBLE) 
| makemv delim="," ID 
| mvexpand ID 
| eval IDS_SUGGAR=if(ID_SUGGAR==ID,ID_SUGGAR,null()) 
| eval IDS_DOUBLE=if(ID_DOUBLE==ID,ID_DOUBLE,null()) 
| eval IDS_BOTH=if(ID_SUGGAR==ID_DOUBLE,ID_SUGGAR,null()) 
| stats dc(IDS_*) as * by ID
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

andres91302
Communicator
‎03-19-2021 06:10 AM

Hi man! this did not work.. for me. I would like to thank you for trying to help me

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...