- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Get top combination from a multi value field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I have a multi value field who has data something like below which has been extracted from some web service.
I am looking to find the combination which occurs maximum time -
Event 1 Combo 1 -
A
B
C
D
Event 2 Combo 2 -
B
C
D
F
Event 3 Combo 3 -
G
B
Q
R
There could be different combinations. I want to compare these combinations and get the one which occurs in maximum events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Shashank_87
Can you please try the following search? Note: Here, I have assumed the Event field contains the combinations.
YOUR_SEARCH
| eval Event=mvsort(Event)
| eval Event=mvjoin(Event,",")
| top Event
| eval Event=split(Event,",")
My Sample Search:
| makeresults
| eval Event="A,B,C,D|B,C,D,E|A,B,C,D|B,C,D,E|X,Y,Z|B,A,C,D"
| eval Event=split(Event,"|")
| mvexpand Event
| eval Event=split(Event,",")
| table Event
| eval Event=mvsort(Event)
| eval Event=mvjoin(Event,",")
| top Event
| eval Event=split(Event,",")
Here I have managed multivalue with the different order. If you don't want it then remove | eval Event=mvsort(Event) from search.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Shashank_87
Can you please try the following search? Note: Here, I have assumed the Event field contains the combinations.
YOUR_SEARCH
| eval Event=mvsort(Event)
| eval Event=mvjoin(Event,",")
| top Event
| eval Event=split(Event,",")
My Sample Search:
| makeresults
| eval Event="A,B,C,D|B,C,D,E|A,B,C,D|B,C,D,E|X,Y,Z|B,A,C,D"
| eval Event=split(Event,"|")
| mvexpand Event
| eval Event=split(Event,",")
| table Event
| eval Event=mvsort(Event)
| eval Event=mvjoin(Event,",")
| top Event
| eval Event=split(Event,",")
Here I have managed multivalue with the different order. If you don't want it then remove | eval Event=mvsort(Event) from search.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Shashank_87 so what do you mean by maximum occurrence of a combination? In the above example what would the desired output be? Also are these Single events multi-valued fields? Finally what is the query you have tried so far and what is the output you got?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok For example below are the 2 events with multiple values -
Combination 1 -
Line Rental
Player TV (M)
Talk Weekends (Corona)
Set Top Box 500Gb
100 Optical Fibre (Unlimited) (XL100 UL)
Value Migration Q1
Combination 2 -
Essential Collection TV L,. TiVo ??5
Fun TV (L)
Line Rental
New Bundle 12 Mont
(Unlimited data) (L70)
Talk Evenings and Weekends
Set Top Box 500Gb
Voicemail Free
Like this I have extracted and created a table with combinations. Now some of these combinations could be same. So i want to find out those combinations
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have the multivalue fields with values ABCD, BCDF,ABCD,BCDF,JKLM...
You want to get ABCD and BCDF as the output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By same do you mean whole set (e.g. ABCD in your first example data) matching, with order?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
