Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find nearest value in numeric multivalue field to other numeric field

sematag
New Member
‎05-29-2019 06:49 AM

I have events with a numeric field "Amount" and a field "User". In a KV Store collection I keep the Amount history values for a each User (Amount_Hist). With a lookup I can get the Amount_Hist for a user in a numeric multivalue field.

Given a new event for a user and the the value of Amount, I need to get the nearest value from the Amount_Hist (where Amount_Hist is a multivalue field and Amount a single value field).

I cant use mvexpand to do it because Amount_Hist is very large and mvexpand produce exesive memory usage when is applied for multiple events.

Thanks a lot for any sugerence.

0 Karma
Reply

dtburrows3
Builder
‎01-08-2024 02:32 PM

Not sure if you still need this answered but figure I'd give it a shot in case anybody else has a similar problem they need to solve.

I think something like this would do what you are looking for.

<base_search>
    ``` lookup historical values for each user (potentially mv field) ```
    | lookup <lookup_name> user OUTPUT Amount_Hist
    ``` loop through Amount_Hist values and finding the diff of each compared to the users current value, then take the minimum value and assign it to it's own field "Amount_Hist_min_diff" ```
    | eval
        Amount_Hist_min_diff=min(
            case(
                mvcount(Amount_Hist)==1, abs('Amount_Hist'-'Amount'),
                mvcount(Amount_Hist)>1, mvmap(Amount_Hist, abs('Amount_Hist'-'Amount'))
                )
            ),
        ``` loop back through historical values and only return the values whos diff is equal to the minimum diff value assigned previously ```
        Closest_Amount_Hist_value=mvdedup(
            case(
                mvcount(Amount_Hist)==1, if(abs('Amount_Hist'-'Amount')=='Amount_Hist_min_diff', 'Amount_Hist', null()),
                mvcount(Amount_Hist)>1, mvmap(Amount_Hist, if(abs('Amount_Hist'-'Amount')=='Amount_Hist_min_diff', 'Amount_Hist', null()))
                )
            )

 You can see that the field "Closest_Amount_Hist_value" holds the value closest the the user's current value, this can potentially hold multiple values if they are are equidistant from the current value. As show below.

dtburrows3_1-1704753142009.png

 

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-08-2024 03:15 PM

An alternative which will just return a single 'closest' value using foreach is

your_search_and_lookup
| eval diff=max(Amount_Hist)
| foreach Amount_Hist mode=multivalue [ eval new_diff=min(diff, abs(Amount-<<ITEM>>)), closest=if(new_diff<diff, <<ITEM>>, closest), diff=new_diff ]
| fields - new_diff

 

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...