Solved: Re: Adding Integers/numerical data in 2 multivalu...

jaysonpryde · ‎07-26-2021

Hi All,

I think the subject of my questions says it all... I wanted to add numerical data from 2 multivalue fields, and save it to a new field.

Field1	Field2	Field3
4	8	12
8	9	17
3	2	5

I know mvappend is not the one to be used here, but I already tried:

| eval field3=mvappend(field1,field2)

Any ideas are greatly appreciated?

ITWhisperer · ‎07-26-2021

| eval field3=mvzip(field1,field2,"!")
| eval field3=mvmap(field3,tonumber(mvindex(split(field3,"!"),0))+tonumber(mvindex(split(field3,"!"),1)))

View solution in original post

ITWhisperer · ‎07-26-2021

| eval field3=mvzip(field1,field2,"!")
| eval field3=mvmap(field3,tonumber(mvindex(split(field3,"!"),0))+tonumber(mvindex(split(field3,"!"),1)))

jaysonpryde · ‎07-27-2021

You're indeed a legend @ITWhisperer . Thank you very much!

kamlesh_vaghela · ‎07-26-2021

@jaysonpryde

Are you looking for this?

YOUR_SEARCH
| eval a=1 | accum a
| stats sum(Field1) as sum_Field1 sum(Field2) as sum_Field2 list(*) as * by a
| eval Field3= sum_Field1+sum_Field2 | fields Field*

My Sample Search :

| makeresults | eval _raw="Field1	Field2
4|2	8|5	12
8|2	9|2	17
3|2	2|2	5" | multikv forceheader=1 | eval Field1=split(Field1,"|"),Field2=split(Field2,"|")
| table Field1	Field2 
| rename comment as "Upto Now is sample data only" 
| eval a=1 | accum a
| stats sum(Field1) as sum_Field1 sum(Field2) as sum_Field2 list(*) as * by a
| eval Field3= sum_Field1+sum_Field2 | fields Field*

Thanks
KV
▄︻̷̿┻̿═━一 ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

jaysonpryde · ‎07-26-2021

Hi @kamlesh_vaghela , thanks a lot for your feedback.

However, your proposed solution is actually getting the sum of Field1 and Field2.

I am not up to that. As mentioned, I want each row/entry of the the multivalue fields 1 & 2, to be added, and saved on fied 3... Again, what I require is a per entry operation.

Again, thanks a lot for your reply.

kamlesh_vaghela · ‎07-26-2021

@jaysonpryde

As you said multivalued ( single field with multiple values) field so I though field1 and field2 is multivalued.

As per your provided example in question, did you tried simply addition?

like

| eval field3=field1 + field2

😕

Or I think I'm still not clear about your expectations.

kamlesh_vaghela · ‎07-26-2021

Try this

| eval Field3=tonumber(Field1) + tonumber(Field2)

jaysonpryde · ‎07-26-2021

still not working... I think you can't just simply add multivalue fields directly.

But still, thanks a lot for your comments. greatly appreciate it

jaysonpryde · ‎07-26-2021

Hmm... the solution you provided is not working for me. I always get empty results in field3

kamlesh_vaghela · ‎07-26-2021

@jaysonpryde

Can you please share sample OP from this ?

YOUR_SEARCH | head 3
| table Field1	Field2

jaysonpryde · ‎07-26-2021

example field1 and field2

Like what I placed in my initial post, it's just 2 multivalue fields.

I got the 2 multivalue fields from this search:

| stats list(field1) as field1, list(field2) as field2 by group_name

kamlesh_vaghela · ‎07-26-2021

@jaysonpryde

Is is possible to add before stats? like

YOUR_SEARCH
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2,list(field3) as field3 by group_name

| makeresults 
| eval _raw="field1,field2,group_name
4,8,A
8,9,A
3,2,A" 
| multikv forceheader=1 
| rename comment as "Upto Now is sample data only" 
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2,list(field3) as field3 by group_name

jaysonpryde · ‎07-26-2021

not possible since field1 and field2 are results from operations / evaluations.

I just simplified it on my original post.

kamlesh_vaghela · ‎07-26-2021

@jaysonpryde

Then I think this will help you.

YOUR_SEARCH
| stats list(field1) as field1, list(field2) as field2 by group_name
| eval t=mvzip(field1,field2)
| mvexpand t
| eval field1=mvindex(split(t,","),0),field2=mvindex(split(t,","),0) | fields - t
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2, list(field3) as field3 by group_name

My Sample Search :

| makeresults 
| eval _raw="field1,field2,group_name
4,8,A
8,9,A
3,2,A" 
| multikv forceheader=1 
| rename comment as "Upto Now is sample data only" 
| stats list(field1) as field1, list(field2) as field2 by group_name
| eval t=mvzip(field1,field2)
| mvexpand t
| eval field1=mvindex(split(t,","),0),field2=mvindex(split(t,","),0) | fields - t
| eval field3 = field1 + field2
| stats list(field1) as field1, list(field2) as field2, list(field3) as field3 by group_name

Adding Integers/numerical data in 2 multivalue fields to a new field

fields

Other

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...