Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I identify duplicates in a multivalue field based on the value of another field?

jedatt01
Builder
‎11-20-2017 01:48 PM

I need to be able to identify duplicates in a multivalue field. The difficulty is that I want to identify duplicates that match the value of another field.

for example
field1 = "something"
(MV field) field2 = "something, nothing, everything, something"

I need to be able to count how many times field1 is seen.

eval test = mvfilter(match(field2,field1)) <------------- how can I do the equivalent of this since mvfilter doesn't support tokens?

0 Karma
Reply

micahkemp
Champion
‎11-20-2017 02:43 PM

This would likely not be a great search if there are a lot of events that meet your criteria (mvexpand can be a memory hog), but this may work well enough for your use case:

<your base search>
| where field2==field1
| streamstats count AS row
| mvexpand field2
| eval matches=if(field2==field1, field1, dummy)
| stats list(field2) AS field2, values(field1) AS field1, list(matches) AS matches BY row
| table field1 field2 matches
0 Karma
Reply

somesoni2
Revered Legend
‎11-20-2017 02:28 PM

You can try this workaround. (runanywhere search, first two lines are used to generate sample data)

| gentimes start=-1 | eval field1="something" | table field1 | eval field2="something,nothing,everything,something,anything,something,something,something" | makemv field2 delim="," 
| eval test=field2 | nomv test| eval test=mvcount(split(replace("start".test."end",field1,"|"),"|"))-1
0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...