Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to compare two strings and find the difference
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
In the middle of a search, I have two string fields, one is called A and the other B (both have the ";" as delimiter but the number of values inside is variable):
A=test;sample;example
B=test;sample;example;check
I would like to compare the two string and have the difference as result in a new field called C (so suppose C=check).
Is there any way to achieve that (like doing an Excel VLOOKUP without performing a sub-search that can affect the search performance)?
Thanks a lot,
Edoardo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This comes up quite a bit. First you must make A and B multi-valued like this:
...| makemv delim=";" A | makemv delim=";" B ...
Then do something like one of these, depending on exactly what you need:
https://answers.splunk.com/answers/407106/comparing-multivalue-fields-by-percentage.html
https://answers.splunk.com/answers/567851/how-can-i-compare-mvfields-and-get-a-diff.html
https://answers.splunk.com/answers/740480/how-to-compare-characters-in-two-fields-and-return.html
https://answers.splunk.com/answers/762432/multivalue-differences.html
Don't forget to UpVote!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This comes up quite a bit. First you must make A and B multi-valued like this:
...| makemv delim=";" A | makemv delim=";" B ...
Then do something like one of these, depending on exactly what you need:
https://answers.splunk.com/answers/407106/comparing-multivalue-fields-by-percentage.html
https://answers.splunk.com/answers/567851/how-can-i-compare-mvfields-and-get-a-diff.html
https://answers.splunk.com/answers/740480/how-to-compare-characters-in-two-fields-and-return.html
https://answers.splunk.com/answers/762432/multivalue-differences.html
Don't forget to UpVote!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock
Thanks a lot I have followed one of your previous solutions (see https://answers.splunk.com/answers/567851/how-can-i-compare-mvfields-and-get-a-diff.html) and it worked fine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi edoardo_vicendone,
try something like this:
| makeresults
| eval A="test;sample;example",
B="test;sample;example;check"
| makemv delim=";" A
| makemv delim=";" B
| mvexpand A
| mvexpand B
| stats values(A) AS A by B `comment(" Everything up til here creates events, please ignore ...")`
| eval C=if(B!=A, B, null())
The first 8 lines create, prepare the dummy events and the last line does the actual comparison of field A and B and puts the result into the new field C.
The important part of the SPL is line 4-7 where I create the multi value fields and split them so we are able to compare the values.
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@MuS
Thanks a lot for your feedback!
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
