Solved: Re: Get top combination from a multi value field

Shashank_87 · ‎08-22-2018

Hi, I have a multi value field who has data something like below which has been extracted from some web service.
I am looking to find the combination which occurs maximum time -
Event 1 Combo 1 -
A
B
C
D
Event 2 Combo 2 -
B
C
D
F
Event 3 Combo 3 -
G
B
Q
R
There could be different combinations. I want to compare these combinations and get the one which occurs in maximum events.

kamlesh_vaghela · ‎08-28-2018

@Shashank_87

Can you please try the following search? Note: Here, I have assumed the Event field contains the combinations.

YOUR_SEARCH 
| eval Event=mvsort(Event)
| eval Event=mvjoin(Event,",") 
| top Event
| eval Event=split(Event,",")

My Sample Search:

| makeresults 
| eval Event="A,B,C,D|B,C,D,E|A,B,C,D|B,C,D,E|X,Y,Z|B,A,C,D" 
| eval Event=split(Event,"|") 
| mvexpand Event 
| eval Event=split(Event,",") 
| table Event 
| eval Event=mvsort(Event)
| eval Event=mvjoin(Event,",") 
| top Event
| eval Event=split(Event,",")

Here I have managed multivalue with the different order. If you don't want it then remove | eval Event=mvsort(Event) from search.

Thanks

View solution in original post

kamlesh_vaghela · ‎08-28-2018

@Shashank_87

Can you please try the following search? Note: Here, I have assumed the Event field contains the combinations.

YOUR_SEARCH 
| eval Event=mvsort(Event)
| eval Event=mvjoin(Event,",") 
| top Event
| eval Event=split(Event,",")

My Sample Search:

| makeresults 
| eval Event="A,B,C,D|B,C,D,E|A,B,C,D|B,C,D,E|X,Y,Z|B,A,C,D" 
| eval Event=split(Event,"|") 
| mvexpand Event 
| eval Event=split(Event,",") 
| table Event 
| eval Event=mvsort(Event)
| eval Event=mvjoin(Event,",") 
| top Event
| eval Event=split(Event,",")

Here I have managed multivalue with the different order. If you don't want it then remove | eval Event=mvsort(Event) from search.

Thanks

niketn · ‎08-22-2018

@Shashank_87 so what do you mean by maximum occurrence of a combination? In the above example what would the desired output be? Also are these Single events multi-valued fields? Finally what is the query you have tried so far and what is the output you got?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Shashank_87 · ‎08-22-2018

Ok For example below are the 2 events with multiple values -
Combination 1 -
Line Rental
Player TV (M)
Talk Weekends (Corona)
Set Top Box 500Gb
100 Optical Fibre (Unlimited) (XL100 UL)
Value Migration Q1

Combination 2 -
Essential Collection TV L,. TiVo ??5
Fun TV (L)
Line Rental
New Bundle 12 Mont
(Unlimited data) (L70)
Talk Evenings and Weekends
Set Top Box 500Gb
Voicemail Free

Like this I have extracted and created a table with combinations. Now some of these combinations could be same. So i want to find out those combinations

nadlurinadluri · ‎08-24-2018

If you have the multivalue fields with values ABCD, BCDF,ABCD,BCDF,JKLM...
You want to get ABCD and BCDF as the output?

somesoni2 · ‎08-22-2018

By same do you mean whole set (e.g. ABCD in your first example data) matching, with order?

Get top combination from a multi value field

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...