Splunk Search

How to extract common values from a multi-value field for different event times.

ashishdhinwa
Engager

Hi All,

I have a multi-value field as shown below-

_time                                     field_test
2022-05-13 04:36:00test_data_1
 test_data_2
 test_data_3
 test_data_4
2022-05-13 03:30:00    test_data_9
 test_data_10
 test_data_3
 test_data_4

 

For the above two events, I am trying to write a query which can provide me the common values such that result is-

test_data_3
test_data_4

 

Please help me on how can I accomplish it?

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| stats count by field_test
| where count > 1

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@ashishdhinwa - You can try something like

<your query>
| eventstats dc(_time) as total_count
| mvexpand field_test
| stats count, last(total_count) as total_count by field_test
| where field_test>=total_count
| fields field_test

This should provide values that are common for all the _time field values (present in all events).

 

Hope this helps!!!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| stats count by field_test
| where count > 1
0 Karma

ashishdhinwa
Engager

Thanks! This works 🙂

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...