Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk query to compare a particular field values

harshi
Observer
‎09-27-2023 01:27 AM

Hi , 

I am trying to write a query which compare all field values for a particular field and fetch the results if its not same accordingly with its details. Below is my input :

FieldA    FieldB

host1        26

host2        29

host3        29

I want to compare all field values from fieldB , and if its not same then i want to fetch that count with its fieldA value.

eg :  here 26 is not equal to other 2 field values , then fieldB value with fieldA values has to be displayed.

I tried with if condition

| eventstats list(fieldB) as counts | eval value1=mvindex(counts,-2) | eval value2=mvindex(counts,-1) | | eval value3=mvindex(counts,-0) | eval value=if(('value1'=='value2') AND ('value2'=='value3'),"0",""1")

Also with below query:

|stats dc(metric_value) as count | eval value=if(count>1,"0","1")

But with above 2 , i m not able pull its host name where that value is not same.

Note: fieldB is dynamic

Help me with this !!

Labels (2)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-27-2023 01:54 AM

If host1's 26 is not equal to the 29 values of host2 and host3, then what logic do you apply to host2, as its 29 is not equal to the value of host1's 26.

So effectively none of them are equal to all of the others - how do you know which one is the master value to compare against?

0 Karma
Reply

harshi
Observer
‎09-27-2023 04:04 AM

There is no master , whatever the values which are present that should be same and not different.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-27-2023 03:01 PM

What do you expect from 26,26,29 or 26,28,29?

Are there always only 3 numbers?

0 Karma
Reply

harshi
Observer
‎09-27-2023 11:03 PM

26,26,29 : 3 numbers are not equal  , so return results with 3rd number which is nor equal to other 2 . 

26,28,29: again 3 number are not equal , so return results with all 3

yes , it is always 3 number itself 

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-27-2023 02:06 AM

If you are looking to find what values are not the maximum you could do this example

| makeresults 
| eval _raw="FieldA    FieldB
host1        26
host2        29
host3        29" 
| multikv forceheader=1 
| table FieldA FieldB 
| eventstats dc(FieldB) as counts min(FieldB) as minFieldB max(FieldB) as maxFieldB
| eval result=if(counts>1 AND FieldB<maxFieldB, FieldA, null())
| stats list(eval(if(isnotnull(result), FieldA, null()))) as Hosts list(eval(if(isnotnull(result), FieldB, null()))) as Values

to get a list of the hosts and their values that are not the maximum

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...