Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if each value in multivalue field exists in another multivalue field?

moaf13
Path Finder
‎06-16-2016 12:56 PM

I have two multi value fields with delim "," (comma)

field1                            field2
\value\random\end,                \value3\random3\end3,
\value2\random2\end2,             \value\random\end, 
\value3\random3\end3,             \value2\random2\end2,
\value\that\does\not\exist        \diff\value\anything

I can make them a multivalue using makemv delim="," field1 and the same thing for field2. I want each value from field 1 and check if it exists in field 2, and if it does, then add it to a new field called "field 3"

i wanted to use foreach but i'm not really familiar with it.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎06-16-2016 07:06 PM

As usual, there is probably a better way. And if any of your events are exactly the same, I don't think this will work. My sample events are all the same, so i added a streamstats count up front so they would all have at least one different field, which is kind of necessary for the last step to actually work the right way.

[your base search]
| eval tmpField1=field1 
| eval tmpField2=field2
| mvexpand tmpField1
| mvexpand tmpField2
| eval field3 = case(tmpField1=tmpField2,tmpField1) 
| fields - tmp* 
| mvcombine field3

this will essentially break out the multi-valued fields each on their own line. So if you have one event with 2 mv fields each with 4 items, then this will create 16 events after expanding those fields.

At that point you can check to see if field1=field2, and if so create field3 with the value from field1. Once that is done across all 16 events, then you can use mvjoin on field3 to collapse all of those events back into a single one.

Hope it helps or at least points you in the right direction.

View solution in original post

Reply
Solved! Jump to solution
Solution

maciep
Champion
‎06-16-2016 07:06 PM

As usual, there is probably a better way. And if any of your events are exactly the same, I don't think this will work. My sample events are all the same, so i added a streamstats count up front so they would all have at least one different field, which is kind of necessary for the last step to actually work the right way.

[your base search]
| eval tmpField1=field1 
| eval tmpField2=field2
| mvexpand tmpField1
| mvexpand tmpField2
| eval field3 = case(tmpField1=tmpField2,tmpField1) 
| fields - tmp* 
| mvcombine field3

this will essentially break out the multi-valued fields each on their own line. So if you have one event with 2 mv fields each with 4 items, then this will create 16 events after expanding those fields.

At that point you can check to see if field1=field2, and if so create field3 with the value from field1. Once that is done across all 16 events, then you can use mvjoin on field3 to collapse all of those events back into a single one.

Hope it helps or at least points you in the right direction.

Reply
Solved! Jump to solution

moaf13
Path Finder
‎06-17-2016 12:01 PM

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top