Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract common values from a multi-value field for different event times.

ashishdhinwa
Engager
‎05-31-2022 07:37 AM

Hi All,

I have a multi-value field as shown below-

_time                                     field_test
2022-05-13 04:36:00test_data_1
 test_data_2
 test_data_3
 test_data_4
2022-05-13 03:30:00    test_data_9
 test_data_10
 test_data_3
 test_data_4

 

For the above two events, I am trying to write a query which can provide me the common values such that result is-

test_data_3
test_data_4

 

Please help me on how can I accomplish it?

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 08:08 AM 
| stats count by field_test
| where count > 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-31-2022 10:15 AM

@ashishdhinwa - You can try something like

<your query>
| eventstats dc(_time) as total_count
| mvexpand field_test
| stats count, last(total_count) as total_count by field_test
| where field_test>=total_count
| fields field_test

This should provide values that are common for all the _time field values (present in all events).

 

Hope this helps!!!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 08:08 AM 
| stats count by field_test
| where count > 1
0 Karma
Reply
Solved! Jump to solution

ashishdhinwa
Engager
‎06-07-2022 06:11 AM

Thanks! This works 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...