Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multivalue field problem Is there any way to use without "mvexpand"

Kirthika
Path Finder
‎06-29-2023 04:59 AM
IDcurr_rowcomparison_result
19Turn onequal
191245equal
191245equal
191245equal
191245equal
191245equal
191245equal
20Turn onnot equal
207656equal
207690not equal
208783equal

 

For the above table, whenever a comparison_result column value is equal to "not equal", it should copy the corresponding whole row value and insert before that row by changing curr_row value alone to "Turn on" without using mvexpand command. I have tried with mvexpand query, memory issue was there.

 

Mvexpand query:

 

| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2),null())
| mvexpand row
| eval curr_row=if(row==0,"Turn on",curr_row)
| fields - row
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-29-2023 10:54 PM

@Kirthika 

stats command will give you better performance over mvexpand and memory limitation issues.  Please check below sample search and try to design your search as per requirement. 

| makeresults 
| eval _raw="ID	curr_row	comparison_result
19	Turn on	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
20	Turn on	not equal
20	7656	equal
20	7690	not equal
20	8783	equal" 
| multikv forceheader=1
| table ID curr_row comparison_result
| rename comment as "Upto now is data generation logic only"
| eval a=1 | accum a
| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2)," ")
| stats c by a ID curr_row comparison_result row
| sort a
| eval curr_row=if(row==0,"Turn on",curr_row)
| table ID curr_row comparison_result

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-29-2023 10:54 PM

@Kirthika 

stats command will give you better performance over mvexpand and memory limitation issues.  Please check below sample search and try to design your search as per requirement. 

| makeresults 
| eval _raw="ID	curr_row	comparison_result
19	Turn on	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
19	1245	equal
20	Turn on	not equal
20	7656	equal
20	7690	not equal
20	8783	equal" 
| multikv forceheader=1
| table ID curr_row comparison_result
| rename comment as "Upto now is data generation logic only"
| eval a=1 | accum a
| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2)," ")
| stats c by a ID curr_row comparison_result row
| sort a
| eval curr_row=if(row==0,"Turn on",curr_row)
| table ID curr_row comparison_result

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

0 Karma
Reply
Solved! Jump to solution

Kirthika
Path Finder
‎06-29-2023 11:07 PM

Thank you @kamlesh_vaghela . It works as expected

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-29-2023 11:09 PM

Glad to help you  @Kirthika 

Happy Splunking

 

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...