Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find values of Field 1 in Field 2

k1green97
Engager
a week ago

I am not sure where to start on this. I have 2 fields. Field1 only has a few values while Field2 has many. How can I return values Field2 that appear in Field1?

Field 1Field 2
1727
2433
3617
 22
 24
 31
 29
 08
 

36

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Super Champion
a week ago

Hi @k1green97 

Check out the following, if your Field2 is a multivalue field you should be good with a 'where IN':

| where Field1 IN (Field2)

 Full example:

| windbag | head 25 | streamstats count as Field1
| table _time Field1
| eval  Field2=split("27,33,17,22,24,31,29,08,36",",")
| where Field1 IN (Field2)

 

HOWEVER, if as it looks on the table you posted that for Row 1, Field1=17 Field2=27 but you want to check if Field1 is in the combined list of Field2 values then you will need to group them together first using eventstats:

| eventstats values(Field2) as Field2
| where Field1 IN (Field2)

Full example:

| makeresults count=9 | streamstats count as _n
| eval Field1=case(_n=1, 17, _n=2, 24, _n=3, 36)
| eval Field2=case(_n=1, 27, _n=2, 33, _n=3, 17, _n=4, 22, _n=5, 24, _n=6, 31, _n=7, 29, _n=8, 8, _n=9, 36)
| fields - _time
``` finished data sample ```
| eventstats values(Field2) as Field2
| where Field1 IN (Field2)

livehybrid_0-1746890032973.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
Super Champion
a week ago

Hi @k1green97 

Check out the following, if your Field2 is a multivalue field you should be good with a 'where IN':

| where Field1 IN (Field2)

 Full example:

| windbag | head 25 | streamstats count as Field1
| table _time Field1
| eval  Field2=split("27,33,17,22,24,31,29,08,36",",")
| where Field1 IN (Field2)

 

HOWEVER, if as it looks on the table you posted that for Row 1, Field1=17 Field2=27 but you want to check if Field1 is in the combined list of Field2 values then you will need to group them together first using eventstats:

| eventstats values(Field2) as Field2
| where Field1 IN (Field2)

Full example:

| makeresults count=9 | streamstats count as _n
| eval Field1=case(_n=1, 17, _n=2, 24, _n=3, 36)
| eval Field2=case(_n=1, 27, _n=2, 33, _n=3, 17, _n=4, 22, _n=5, 24, _n=6, 31, _n=7, 29, _n=8, 8, _n=9, 36)
| fields - _time
``` finished data sample ```
| eventstats values(Field2) as Field2
| where Field1 IN (Field2)

livehybrid_0-1746890032973.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
a week ago

OK. And those "fields" are...? Values of a multivalued field in a single event? Or just multiple values returned from "stats values "command? Something else?

Do you have any other fields in your data? Do you want them preserved?

 

Reply
Solved! Jump to solution

kiran_panchavat
Influencer
a week ago

@k1green97 

To find values of Field1 that appear in Field2 using Splunk with makeresults(The makeresults command allows users to quickly generate sample data sets for testing) you can create a query that generates the data and then uses eval and where to filter the matching values.
 
 
kiran_panchavat_0-1746853037991.png

You can try this query and replace the values:

index=my_index sourcetype=my_sourcetype 
| stats values(Field1) as Field1_values, values(Field2) as Field2_values 
| mvexpand Field1_values 
| where Field1_values IN (Field2_values) 
| table Field1_values
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...