Splunk Search

## How do you evaluate the difference between 2 multivalue fields?

Motivator

Hi,

Let's say we have 2 multivalue fields

``````Field1={a,b,c,d}
Field2={a,b,c,d,e}
``````

Is it possible to evaluate the difference between these fields and display the additional value of Field2? So that Field3={e}

Best regards,

Heinz

Tags (2)
1 Solution
Influencer

Let me know what you think of the strategy:

```| makeresults | eval F1="a b c" | makemv F1 | append [| makeresults | eval F2="a b c d" | makemv F2 ] | append [ | makeresults | eval F2_Original="a b c d" | makemv F2_Original ] | stats values(F1) as F1, values(F2) as F2, values(F2_Original) as F2_Original | mvexpand F2 | eval F3=if(F2 IN(F1),"",F2) | fields F1, F2_Original, F3 | where len(F3)>0```

Explorer

The given information works, but I would consider something that is more direct:

MVCompare | Splunkbase

Champion

Hi @HeinzWaescher

Try this and let me know

``````| makeresults
| eval Field1="a,b,c,e", Field2="a,b,c,d"
| eval Field3 =mvzip(Field1,Field2)
| makemv delim="," Field3
| stats list(Field1) as Field1,list(Field2) as Field2, count by Field3
| mvcombine Field3
| eval Field3=mvjoin(Field3,",")
| where count=1
| table Field1,Field2,Field3
``````
Influencer

Let me know what you think of the strategy:

```| makeresults | eval F1="a b c" | makemv F1 | append [| makeresults | eval F2="a b c d" | makemv F2 ] | append [ | makeresults | eval F2_Original="a b c d" | makemv F2_Original ] | stats values(F1) as F1, values(F2) as F2, values(F2_Original) as F2_Original | mvexpand F2 | eval F3=if(F2 IN(F1),"",F2) | fields F1, F2_Original, F3 | where len(F3)>0```

Motivator

Works pretty fine! Thanks

Get Updates on the Splunk Community!

#### Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

#### Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

#### Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...