Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare multivalues from different rows

farhad
Engager
‎07-04-2023 06:42 AM

In my search i have 2 rows, column specifying the week and the other column a multi-value field of EventIDs. I need to compare one row multievalue field to another row multi value field. And Output the different event values from these 2 rows.

______________________________

my search
| stats values(EventID) by week

Result:

weekvalues(EventID)
This week
4624
4625
4627
4634
4647
4648
4656
4658
4661
4663
4664
4670
4672
4673
4674
4688
4689
4690
4692
4693
4698
Previous Week
4624
4625
4627
4634
4647
4648
4656
4658
4661
4663
4664
4670
4672
4673
4674
4688
4689
4690
4692
4693
4698
4702
4720
4722
4724
4725

 

Now i desire to compare "this week" event values with "previous week" event values and table values not seen in both weeks. Any suggestions is much appreciated, thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-04-2023 08:28 AM

@farhad 

Can you please try this?

YOUR_SEARCH
| stats values(week) as weeks by EventID 
| eval status = case(mvcount(weeks)==2,"Available In Both",weeks="This week","Available In This Week",weeks="Previous Week","Available In Previous Week") 
| stats values(EventID) as EventIDs by status

 

My Sample Search :

 

| makeresults 
| eval _raw="week	EventID
This week	4624,4625,4627,4634,4647,4648,4656,4658,4661,4663,4664,4670,4672,4673,4674,4688,4689,4690,4692,4693,4698,100,102,103
Previous Week	4624,4625,4627,4634,4647,4648,4656,4658,4661,4663,4664,4670,4672,4673,4674,4688,4689,4690,4692,4693,4698,4702,4720,4722,4724,4725
" 
| multikv forceheader=1 
| eval EventID=split(EventID,",") 
| mvexpand EventID 
| table week EventID 
| rename comment as "Upto now is for sample data only"
| stats values(week) as weeks by EventID 
| eval status = case(mvcount(weeks)==2,"Available In Both",weeks="This week","Available In This Week",weeks="Previous Week","Available In Previous Week") 
| stats values(EventID) as EventIDs by status

 

Screenshot 2023-07-04 at 8.58.03 PM.png

 

I hope this will help you.

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-04-2023 08:28 AM

@farhad 

Can you please try this?

YOUR_SEARCH
| stats values(week) as weeks by EventID 
| eval status = case(mvcount(weeks)==2,"Available In Both",weeks="This week","Available In This Week",weeks="Previous Week","Available In Previous Week") 
| stats values(EventID) as EventIDs by status

 

My Sample Search :

 

| makeresults 
| eval _raw="week	EventID
This week	4624,4625,4627,4634,4647,4648,4656,4658,4661,4663,4664,4670,4672,4673,4674,4688,4689,4690,4692,4693,4698,100,102,103
Previous Week	4624,4625,4627,4634,4647,4648,4656,4658,4661,4663,4664,4670,4672,4673,4674,4688,4689,4690,4692,4693,4698,4702,4720,4722,4724,4725
" 
| multikv forceheader=1 
| eval EventID=split(EventID,",") 
| mvexpand EventID 
| table week EventID 
| rename comment as "Upto now is for sample data only"
| stats values(week) as weeks by EventID 
| eval status = case(mvcount(weeks)==2,"Available In Both",weeks="This week","Available In This Week",weeks="Previous Week","Available In Previous Week") 
| stats values(EventID) as EventIDs by status

 

Screenshot 2023-07-04 at 8.58.03 PM.png

 

I hope this will help you.

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Solved! Jump to solution

farhad
Engager
‎07-05-2023 12:11 AM

Work as intended, great thanks!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-04-2023 08:10 AM

You have to use transpose to get the values into the same event so you can compare them; can then transpose again to return them to different event (if that's what you require).

| transpose 0 header_field=week column_name=events
| foreach mode=multivalue "Previous Week"
    [| eval missing=if(in(<<ITEM>>,'This week'),missing,mvappend(missing,<<ITEM>>))]
| foreach mode=multivalue "This week"
    [| eval new=if(in(<<ITEM>>,'Previous Week'),new,mvappend(new,<<ITEM>>))]
| transpose 0 header_field=events column_name=week
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...