Solved: How to get the combinations of a set of values?

teresachila · ‎08-20-2022

Given a set of values (e.g. A,B,C) in a multi-value field, I want to get all the combinations that can be generated by this set, i.e. A-B, A-C, B-C. This is like using itertools combinations in python, but instead of creating a python custom command, I want to do it natively in splunk.

teresachila · ‎08-20-2022

| makeresults 
| eval set="A,B,C,D,E|F,G,H" 
| eval set=split(set,"|") | mvexpand set
| eval set=split(set,",")
| streamstats count as rownum | eval cluster_label="cluster"+rownum
| eval indikey = set, num_set=mvcount(set)
| mvexpand indikey
| streamstats count as step by cluster_label
| eval key2 = mvindex(set, step, num_set)
| eval combo = mvzip(set, key2, ":::")
| stats values(set) as set values(combo) as combo by cluster_label | eval num_combo=mvcount(combo)

I used ":::" as the delimiter but it can be anything. This generates the field "combo" which contains the combinations in a multivalue field.

View solution in original post

teresachila · ‎08-20-2022

| makeresults 
| eval set="A,B,C,D,E|F,G,H" 
| eval set=split(set,"|") | mvexpand set
| eval set=split(set,",")
| streamstats count as rownum | eval cluster_label="cluster"+rownum
| eval indikey = set, num_set=mvcount(set)
| mvexpand indikey
| streamstats count as step by cluster_label
| eval key2 = mvindex(set, step, num_set)
| eval combo = mvzip(set, key2, ":::")
| stats values(set) as set values(combo) as combo by cluster_label | eval num_combo=mvcount(combo)

I used ":::" as the delimiter but it can be anything. This generates the field "combo" which contains the combinations in a multivalue field.

How to get the combinations of a set of values?

other

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!