Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find values of Field 1 in Field 2

k1green97
Engager
Friday

I am not sure where to start on this. I have 2 fields. Field1 only has a few values while Field2 has many. How can I return values Field2 that appear in Field1?

Field 1Field 2
1727
2433
3617
 22
 24
 31
 29
 08
 

36

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Super Champion
Saturday

Hi @k1green97 

Check out the following, if your Field2 is a multivalue field you should be good with a 'where IN':

| where Field1 IN (Field2)

 Full example:

| windbag | head 25 | streamstats count as Field1
| table _time Field1
| eval  Field2=split("27,33,17,22,24,31,29,08,36",",")
| where Field1 IN (Field2)

 

HOWEVER, if as it looks on the table you posted that for Row 1, Field1=17 Field2=27 but you want to check if Field1 is in the combined list of Field2 values then you will need to group them together first using eventstats:

| eventstats values(Field2) as Field2
| where Field1 IN (Field2)

Full example:

| makeresults count=9 | streamstats count as _n
| eval Field1=case(_n=1, 17, _n=2, 24, _n=3, 36)
| eval Field2=case(_n=1, 27, _n=2, 33, _n=3, 17, _n=4, 22, _n=5, 24, _n=6, 31, _n=7, 29, _n=8, 8, _n=9, 36)
| fields - _time
``` finished data sample ```
| eventstats values(Field2) as Field2
| where Field1 IN (Field2)

livehybrid_0-1746890032973.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution
Solution

livehybrid
Super Champion
Saturday

Hi @k1green97 

Check out the following, if your Field2 is a multivalue field you should be good with a 'where IN':

| where Field1 IN (Field2)

 Full example:

| windbag | head 25 | streamstats count as Field1
| table _time Field1
| eval  Field2=split("27,33,17,22,24,31,29,08,36",",")
| where Field1 IN (Field2)

 

HOWEVER, if as it looks on the table you posted that for Row 1, Field1=17 Field2=27 but you want to check if Field1 is in the combined list of Field2 values then you will need to group them together first using eventstats:

| eventstats values(Field2) as Field2
| where Field1 IN (Field2)

Full example:

| makeresults count=9 | streamstats count as _n
| eval Field1=case(_n=1, 17, _n=2, 24, _n=3, 36)
| eval Field2=case(_n=1, 27, _n=2, 33, _n=3, 17, _n=4, 22, _n=5, 24, _n=6, 31, _n=7, 29, _n=8, 8, _n=9, 36)
| fields - _time
``` finished data sample ```
| eventstats values(Field2) as Field2
| where Field1 IN (Field2)

livehybrid_0-1746890032973.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
Saturday

OK. And those "fields" are...? Values of a multivalued field in a single event? Or just multiple values returned from "stats values "command? Something else?

Do you have any other fields in your data? Do you want them preserved?

 

Reply
Solved! Jump to solution

kiran_panchavat
Influencer
Friday

@k1green97 

To find values of Field1 that appear in Field2 using Splunk with makeresults(The makeresults command allows users to quickly generate sample data sets for testing) you can create a query that generates the data and then uses eval and where to filter the matching values.
 
 
kiran_panchavat_0-1746853037991.png

You can try this query and replace the values:

index=my_index sourcetype=my_sourcetype 
| stats values(Field1) as Field1_values, values(Field2) as Field2_values 
| mvexpand Field1_values 
| where Field1_values IN (Field2_values) 
| table Field1_values
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...