Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count equal and different elements between two fields (crossvalidation)

andres91302
Communicator
‎03-18-2021 06:39 AM

Hello everyone I hope you are all well and safe!

My data= Two fields that contain IDS from clientes of a tea shop, fields= ID_SUGGAR, ID_DOUBLE 

What I want to know: I want to be able to identify with a function what IDS are in BOTH ID_SUGGAR AND ID_DOUBLE , and also what IDS are only exclusive or only present in ID_SUGGAR (Which means these IDS are not in ID_DOUBLE)

Thank you to anyone who can link some documentation about it I Love you all 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-20-2021 10:42 PM

Hi @andres91302,

I was assuming the values are in separate events. Below should work based on your sample;

| makemv delim="," ID_SUGGAR 
| makemv delim="," ID_DOUBLE
| eval IDS=mvmap(ID_SUGGAR,if(isnull(mvfind(ID_DOUBLE,ID_SUGGAR)),ID_SUGGAR,null()))

 

If this reply helps you an upvote is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-20-2021 10:42 PM

Hi @andres91302,

I was assuming the values are in separate events. Below should work based on your sample;

| makemv delim="," ID_SUGGAR 
| makemv delim="," ID_DOUBLE
| eval IDS=mvmap(ID_SUGGAR,if(isnull(mvfind(ID_DOUBLE,ID_SUGGAR)),ID_SUGGAR,null()))

 

If this reply helps you an upvote is appreciated.
Reply
Solved! Jump to solution

andres91302
Communicator
‎03-21-2021 08:02 AM

@scelikok  this was AWESOME 10/10 thank you so so so much I have also being search your replies for others post and man... you have helped a lot for this is such a great help and I want to praise your job!!!! thank so so so so so so much

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎03-19-2021 12:48 PM

If you can post a sample data, I can find why it didn't work

If this reply helps you an upvote is appreciated.
Reply
Solved! Jump to solution

andres91302
Communicator
‎03-20-2021 01:38 PM

hELLO  sir


thank you so much for tryign to help I am very grateful for that.

Lets make up the following  data.

ID_SUGGAR="5,1,45,78,100,200,300"
ID_DOUBLE="5,1,45,78"
My goal is to have a table or a fild that will tell me, the IDS that are in ID_SUGGAR and NOT in ID_DOUBLE are = 100,200,300

Thank you so much @scelikok  for your kind help Im sending you  hug from a distance! have a great weekend stat safe and thank you so much
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎03-18-2021 12:13 PM

Hi @andres91302,

Please try below;

| eval ID=mvzip(ID_SUGGAR,ID_DOUBLE) 
| makemv delim="," ID 
| mvexpand ID 
| eval IDS_SUGGAR=if(ID_SUGGAR==ID,ID_SUGGAR,null()) 
| eval IDS_DOUBLE=if(ID_DOUBLE==ID,ID_DOUBLE,null()) 
| eval IDS_BOTH=if(ID_SUGGAR==ID_DOUBLE,ID_SUGGAR,null()) 
| stats dc(IDS_*) as * by ID
If this reply helps you an upvote is appreciated.
Reply
Solved! Jump to solution

andres91302
Communicator
‎03-19-2021 06:10 AM

Hi man! this did not work.. for me. I would like to thank you for trying to help me

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...