Re: Query on get Combined and Unique Values

Mallik657 · ‎01-30-2024

Hi,

I have database1 and database2, I have query1 to get the data from database1 and query2 to get data from database2. query3 to get unique values from databse2 which doesn't exist in database1.

Now my requirement is to combine the common values in both the databases using a query1 & query2 and also unique values from query2 from database2 which doesn't exist in database1.

Please provide me the Splunk query.

ITWhisperer · ‎01-30-2024

Please share your current searches and some sample events, and what your expected result would look like (anonymised of course)

Mallik657 · ‎01-30-2024

Result should get common in both databases and also unique/rest values from database2. Please help me with query.

Databse1	Database2	Result
A	A	A
B	B	B
C	C	C
D	E	E
E	F	F
	G	G
	H	H

ITWhisperer · ‎01-30-2024

| makeresults count=5
| fields - _time
| streamstats count as row
| eval database1=mvindex(split("ABCDE",""),row - 1)
| fields - row
| appendcols
    [| makeresults count=7
    | streamstats count as row
    | eval database2=mvindex(split("ABCEFGH",""),row - 1)
    | fields - row]
| eval result=database2

Query on get Combined and Unique Values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation