Solved: Re: Compare on field values with another field val...

renuka · ‎07-27-2021

Hello

I want compare one field values with another when I tried to compare it is coming in this format as shown in below pic

In above picture Project.static_code metric* are the field names(left handside).On righthandside are the field values.But I want the format to be in the below pic form.

venkatasri · ‎07-27-2021

@renuka

This should give output you need, just try exactly replace field_names.

<your_search_goes_here>
| eval project_static=replace(project_static, "{@comment}", "") 
| stats values(customer_platform) as mv by project_static
| eval metric=mvindex(mv,1) , count=mvindex(mv,0) 
| table metric, count

View solution in original post

venkatasri · ‎07-27-2021

Hi @renuka

Can you try this? I have used short field names project_names, customer_pplatform replace accordingly.

<your_search_goes_here>
| eval project_static=replace(project_static, "{@comment}", "") 
| stats values(customer_platform) as mv by project_static
| eval result=mvindex(mv,1)." ".mvindex(mv,0) 
| table result

--

An upvote would be appreciated and Accept solution if this reply helps!

renuka · ‎07-27-2021

Hello @venkatasri
Thank you for reply
It actually for working but i want for multiple fields
field 1:metrics count1 Field7:18
field2:metrics count2 Field8:0
field 3:metrics count 3 Field9:20
field 4:metrics count 4 Field10:10
field 5:metrics count 5 Field11:0
field 6:metrics count 6 Field12:01
Output should me in the form of
metrics count1 18
metrics count2 0
metrics count 3 20
metrics count 4 10
metrics count 5 0
metrics count 6 01
I tried foreach loop also but yet not showing any results

renuka · ‎07-27-2021

Hello @venkatasri
SPL query is working but i want for multiple fields

venkatasri · ‎07-27-2021

@renuka Just define multiple fields means?, not quite clear what you were trying to achieve.

venkatasri · ‎07-27-2021

@renuka Did not get you what you were after?

Was the original solution not showing what you need? Can you share real field names and value's inside.

What's the output of SPL that i have provided?

renuka · ‎07-27-2021

@venkatasri

This is how i am getting the output,
i want output as,
Number of Function with Cyclomatic Complexity greater than 20 18
Number of Function with Goto Complexity not equal to 0 0

venkatasri · ‎07-27-2021

@renuka

This should give output you need, just try exactly replace field_names.

<your_search_goes_here>
| eval project_static=replace(project_static, "{@comment}", "") 
| stats values(customer_platform) as mv by project_static
| eval metric=mvindex(mv,1) , count=mvindex(mv,0) 
| table metric, count

ITWhisperer · ‎07-27-2021

Can you share some raw events and which fields have already been extracted?

renuka · ‎07-27-2021

this is actually xml files imported.on left side there are fields which we are considering now
eg:if field 1:Project metrics(@comment) :18 and field2:project metrics:no.of metrics count
i want to print the output
No.of metrics count 18
actually i want to compare one field value with another field value and display output

ITWhisperer · ‎07-27-2021

Can you share this in a code block </> rather than a picture - it makes it easier to see what is going on, especially as the picture doesn't seem to include any of the elements you are interested in?

Compare on field values with another field values

chart

eval

fields

stats

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk