Hi,
I have three fields, lets call them:
x = 6
y = 6
z = 0
What I want to be able to do is compare each of the fields with each other, and basically return the field that doesn't match, essentially, z is the only field that doesn't match so I would need that to be returned.
I don't want to specify the field names because I want to be able to reuse this query.
Is this possible?
Here's what I've done so far:
index=xxx sourcetype=xxx | fieldsummary | fields field,count | regex field="^([A-Z_]+)$" | where...
Thanks
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi @mahbs,
Can you please try this search?
YOUR_SEARCH
| eval fields="",values="" 
| foreach "*" 
    [ eval fields = if("<<MATCHSTR>>"=="fields" OR "<<MATCHSTR>>"=="values",fields,fields.","."<<MATCHSTR>>") ,values = if("<<MATCHSTR>>"=="fields" OR "<<MATCHSTR>>"=="values",values,values.",".'<<FIELD>>') ] 
| eval fields=split(fields,","),values=split(values,",") 
| eval tmp=mvzip(fields,values) 
| stats count by tmp,_raw 
| eval fields=mvindex(split(tmp,","),0),values=mvindex(split(tmp,","),1) | where fields!=""
| stats values(fields) as fields values(_raw) as raw by values
Sample Search:
| makeresults 
| eval _raw = "x=6 y=6 z=0" 
| kv 
| fields - _time 
| eval fields="",values="" 
| foreach "*" 
    [ eval fields = if("<<MATCHSTR>>"=="fields" OR "<<MATCHSTR>>"=="values",fields,fields.","."<<MATCHSTR>>") ,values = if("<<MATCHSTR>>"=="fields" OR "<<MATCHSTR>>"=="values",values,values.",".'<<FIELD>>') ] 
| eval fields=split(fields,","),values=split(values,",") 
| eval tmp=mvzip(fields,values) 
| stats count by tmp,_raw 
| eval fields=mvindex(split(tmp,","),0),values=mvindex(split(tmp,","),1) | where fields!=""
| stats values(fields) as fields values(_raw) as raw by values
In this search, I'm trying to iterate all fields in raw and listing fields with different values.
Happy Splunking
 
					
				
		
Like this:
| makeresults 
| eval _raw = "x=6 y=6 z=0"
| kv
| fields - _time
| rename COMMENT AS "Everything above generates sample events; everything below is your solution"
| eval conclusion=case(x!=y AND x!=z AND y!=z, "AllDifferent",
                       x==y AND y==z, "AllTheSame",
                       x==y, "z",
                       x==z, "y",
                       y==z, "x",
                       true(), "INCONCEIVABLE")
 
					
				
		
@mahbs, once fieldsummary returns fields with event count, do you want to check all event counts and return fields which do not have event count matching any other field?
Following is run anywhere search based on data provided (A=6, B=6 and C=0 which returns field="C") :
| makeresults
| eval field="A", count=6
|  append 
    [| makeresults
| eval field="B", count=6]
|  append 
    [| makeresults
| eval field="C", count=0]
| stats count(count) as Counter values(field) as field by count
| search Counter=1
Following is run anywhere search based on another sample (A=6, B=0 and C=0 which returns field="A") :
| makeresults
| eval field="A", count=6
|  append 
    [| makeresults
| eval field="B", count=0]
|  append 
    [| makeresults
| eval field="C", count=0]
| stats count(count) as Counter values(field) as field by count
| search Counter=1
If the above result is as expected you can try the following run anywhere search with Splunk's _internal index in the base search:
index=_internal sourcetype=splunkd
| fieldsummary
| fields field count
| stats count(count) as Counter values(field) as field by count
| search Counter=1
 
					
				
		
Are you willing to create a new field for each event that would hold the value of the field (for example "not_matching") that does not match?
yep, I'm willing to do that
 
					
				
		
I think it would be difficult if not impossible to achieve per event.
fieldsummary command gives info about fields for all the events returned by the event search.
