How to compare field3 with common and unique value...

raju4244 · ‎08-10-2015

Dear All,

I have one question. I have the data like below:

field1:

itema
itemb
itemb
itemc
itemd
iteme
iteme

field2:

itemc
itemd
itemd
iteme

mainfield

itemf
itemc
itemz

I used the search below to get common items and unique items on each fields (field1 and field2).

index=foo source=* |  eval commonfield=coalesce(field1,field2) | stats values(source) as source by commonfield | table commonfield

Now I want to compare the common values from field1 and field2 with mainfield. I want to know what are the common items and unique items on commonfield and main field

All the data is in same index and sourcetype.

Thanks.
Raj

somesoni2 · ‎08-11-2015

Does the main field appears in the same events as field1 and field2?

raju4244 · ‎08-12-2015

no, thats in diiferent source

woodcock · ‎08-11-2015

Like this:

index=foo source=* | eval commonfield=coalesce(field1,field2) | stats values(*) as * by commonfield | where commonfield=mainfield

And

index=foo source=* | eval commonfield=coalesce(field1,field2) | stats values(*) as * by commonfield | where commonfield!=mainfield

How to compare field3 with common and unique values from field1 and field2?

Blueprints for High-Maturity Operations: Splunk Lantern Articles on SOAR, ES 8.4, ...

Simplifying the Analyst Experience with Finding-based Detections

[Puzzles] Solve, Learn, Repeat: Word Search

Join the Conversation

How to compare field3 with common and unique values from field1 and field2?

Blueprints for High-Maturity Operations: Splunk Lantern Articles on SOAR, ES 8.4, ...

Simplifying the Analyst Experience with Finding-based Detections

[Puzzles] Solve, Learn, Repeat: Word Search