Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract common values from a multi-value field for different event times.

ashishdhinwa
Engager
‎05-31-2022 07:37 AM

Hi All,

I have a multi-value field as shown below-

_time                                     field_test
2022-05-13 04:36:00test_data_1
 test_data_2
 test_data_3
 test_data_4
2022-05-13 03:30:00    test_data_9
 test_data_10
 test_data_3
 test_data_4

 

For the above two events, I am trying to write a query which can provide me the common values such that result is-

test_data_3
test_data_4

 

Please help me on how can I accomplish it?

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 08:08 AM 
| stats count by field_test
| where count > 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎05-31-2022 10:15 AM

@ashishdhinwa - You can try something like

<your query>
| eventstats dc(_time) as total_count
| mvexpand field_test
| stats count, last(total_count) as total_count by field_test
| where field_test>=total_count
| fields field_test

This should provide values that are common for all the _time field values (present in all events).

 

Hope this helps!!!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 08:08 AM 
| stats count by field_test
| where count > 1
0 Karma
Reply
Solved! Jump to solution

ashishdhinwa
Engager
‎06-07-2022 06:11 AM

Thanks! This works 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...