How can i find difference b/w each MV Item? So far i was able to do only one difference ...
OK, I get it now, you need diffs between the numbers inside of a single multi-value field! try this:
| makeresults | eval mvfield="10 30 100 234 64 432 3 632 87" | makemv mvfield | eval mvdiff = tonumber(mvindex(mvfield, 0)) - tonumber(mvindex(mvfield, 1)) | foreach 1 2 3 4 5 6 7 8 9 10 11 12 [eval _t3Mp = tonumber(mvindex(mvfield, <<FIELD>>)) - tonumber(mvindex(mvfield, <<FIELD>> + 1)) | eval mvdiff = mvappend(mvdiff, _t3Mp) ] | fields - _t3Mp | eval mvdiff = mvappend(mvdiff, "N/A")
View solution in original post
MVCompare | Splunkbase
This was much easier for me:
eval diff=mvmap(field1,if(isnull(mvfind(field2,field1)),field1,null))
Beware thet the second parameter for mvfind is a regex, so it should be limited by "^" and "$" if you want the best match.
@RobertEikel
Thanks for this small and easy one-liner that solved my issue.
Awesome worked like a charm .. How can i project the differences on a chart now ? Do i need to expand them first ?
I am not sure what you mean but maybe just ask a new question because this seems like a separate problem.
Here are several answers of mine that compare multi-value fields and show the differences: https://answers.splunk.com/answers/567851/how-can-i-compare-mvfields-and-get-a-diff.html https://answers.splunk.com/answers/734599/how-to-compare-the-same-search-from-the-previous-d.html https://answers.splunk.com/answers/319663/how-to-search-the-difference-between-the-values-of.html https://answers.splunk.com/answers/407106/comparing-multivalue-fields-by-percentage.html
Thanks @woodcock but not able to locate the appropriate solution. please guide
https://answers.splunk.com/answers/760695/generic-solution-to-same-column-value-difference.html
