Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare values on the same columns and on the same date

iancorrea
Path Finder
‎06-12-2019 05:17 AM

I have this table, and i just want to remove the rows that has the same cost on that date if the B1 of that row is on the B2 of another row. So basically, I just want to remove rows 4 and 5. Is there any way to do this? Thanks.
alt text

Preview file
45 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jnudell_2
Builder
‎06-12-2019 10:00 AM

Hi iancorrea,

I have a crazy search that works how you want it to, but you have to have the Line number field in there.

... [your search] ...

| sort Line 

| streamstats current=f window=1 last(B2) as lastb2 last(B1) as lastb1 last(Cost) as lastcost last(Line) as lastline 

| eval match = if(Cost == lastcost AND B1 == lastb2, 1, 0) 

| eval removeline = case(match == 1, split(lastline . "," . Line, ",")) 

| eventstats values(removeline) as removeline 

| where Line!=removeline 

| table Line Date Log B1 B2 Cost Reference

Basically, it uses streamstats to compare to the previous event's values and then uses eventstats to provide a list of line numbers to remove using the where statement.

View solution in original post

Reply
Solved! Jump to solution
Solution

jnudell_2
Builder
‎06-12-2019 10:00 AM

Hi iancorrea,

I have a crazy search that works how you want it to, but you have to have the Line number field in there.

... [your search] ...

| sort Line 

| streamstats current=f window=1 last(B2) as lastb2 last(B1) as lastb1 last(Cost) as lastcost last(Line) as lastline 

| eval match = if(Cost == lastcost AND B1 == lastb2, 1, 0) 

| eval removeline = case(match == 1, split(lastline . "," . Line, ",")) 

| eventstats values(removeline) as removeline 

| where Line!=removeline 

| table Line Date Log B1 B2 Cost Reference

Basically, it uses streamstats to compare to the previous event's values and then uses eventstats to provide a list of line numbers to remove using the where statement.

Reply
Solved! Jump to solution

iancorrea
Path Finder
‎06-12-2019 05:59 PM

Thanks for researching for a solution sir, I appreciate your effort 🙂 But i came up to another solution which I think the same concept as your answer. I made another field named "Comparison" and used eventstats to compare. This is what I've done, 

1. ... [my search] ...
2. | eval Comparison=if(Log=="In", Date+"|"+B1+"|"+B2+"|"+Cost,Date+"|"+B2+"|"+B1+"|"+Cost)
3. | eventstats count as Status by Comparison
4. | eval Status=if(Status=="1","Failed","Passed")
5. | where Status="Failed"
0 Karma
Reply
Solved! Jump to solution

grittonc
Contributor
‎06-12-2019 09:21 AM

In that case, why is row 6 the one that stays? Is it because it's the latest one? How would we know that other than the ID?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...