Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Correlating field values and finding where they match

sasisudas
New Member
‎04-10-2017 11:07 PM

Hello guys,

So I have struggled writing search pipeline for this senario:

I have comparing unique id(numerical value) in 3 different fields (id_1,id_2,id_3). The data looks something like:
id_1 | id_2 | id_3
1 3 4
2 4 5
3 5 6
4 6 5
4 5 3

I want to find out where all three columns have a matching value.
For example, here 4 would be a unique value that appears in all three fields.

I have run different seaches:
...|table id_1.id_2,id_3|where id_1==id_2==id_3
...|eval matchname=id_2|where id_1==matchname <-tried with 2 fields first, no result
...|table id_1, id_2|eval matchname=if(id_1==id_2,"y","n")
...|stats values(id_1) by id_2,id_3

I am new to Splunk so please excuse my lack of knowledge on the different commands. But i feel like I might be missed a big concept in Splunk Search Language.

Advance thanks for any help on this.

-New Splunk Enthusiast

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-11-2017 12:48 AM

This should do, starting from your initial table:

... | table id_1 id_2 id_3 | eval foo = 42 | untable foo name value | stats dc(name) as dc by value | where dc=3

That will distinct-count the field names per value, and only keep those values that occur in all three field names.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...