Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multivalue field problem Is there any way to use without "mvexpand"

Kirthika
Path Finder
‎06-29-2023 04:59 AM
IDcurr_rowcomparison_result
19Turn onequal
191245equal
191245equal
191245equal
191245equal
191245equal
191245equal
20Turn onnot equal
207656equal
207690not equal
208783equal

 

For the above table, whenever a comparison_result column value is equal to "not equal", it should copy the corresponding whole row value and insert before that row by changing curr_row value alone to "Turn on" without using mvexpand command. I have tried with mvexpand query, memory issue was there.

 

Mvexpand query:

 

| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2),null())
| mvexpand row
| eval curr_row=if(row==0,"Turn on",curr_row)
| fields - row
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-29-2023 10:54 PM

@Kirthika 

stats command will give you better performance over mvexpand and memory limitation issues.  Please check below sample search and try to design your search as per requirement. 

| makeresults 
| eval _raw="ID	curr_row	comparison_result
19	Turn on	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
20	Turn on	not equal
20	7656	equal
20	7690	not equal
20	8783	equal" 
| multikv forceheader=1
| table ID curr_row comparison_result
| rename comment as "Upto now is data generation logic only"
| eval a=1 | accum a
| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2)," ")
| stats c by a ID curr_row comparison_result row
| sort a
| eval curr_row=if(row==0,"Turn on",curr_row)
| table ID curr_row comparison_result

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-29-2023 10:54 PM

@Kirthika 

stats command will give you better performance over mvexpand and memory limitation issues.  Please check below sample search and try to design your search as per requirement. 

| makeresults 
| eval _raw="ID	curr_row	comparison_result
19	Turn on	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
20	Turn on	not equal
20	7656	equal
20	7690	not equal
20	8783	equal" 
| multikv forceheader=1
| table ID curr_row comparison_result
| rename comment as "Upto now is data generation logic only"
| eval a=1 | accum a
| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2)," ")
| stats c by a ID curr_row comparison_result row
| sort a
| eval curr_row=if(row==0,"Turn on",curr_row)
| table ID curr_row comparison_result

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

0 Karma
Reply
Solved! Jump to solution

Kirthika
Path Finder
‎06-29-2023 11:07 PM

Thank you @kamlesh_vaghela . It works as expected

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-29-2023 11:09 PM

Glad to help you  @Kirthika 

Happy Splunking

 

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top