Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to match the values from different rows on a table and compare result.

mandarpim
New Member
‎01-31-2019 06:38 AM

I have 2 tables contains random msisdn which can be repeated in one another as follows:
Table1 | Table2
msisdn1 | msisdn3
msisdn2 | msisdn1
msisdn3 | msisdn8
msisdn5 | msisdn6
| msisdn2
| msisdn 4

and so on.
Also row may be different as well as table count/length.

So need to check the same msisdn value in both table and save the result in another field.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
Influencer
‎02-01-2019 06:37 AM

you can create 2 lookup tables, one for each table. Then, you can merge them and compare for count>1

|inputlookup table1.csv | table MSIDN | outputlookup append=t table2.csv | stats count by MSIDN |where count > 1

So, if you have values more than 1, that means, that MSIDN is appearing in both the tables.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
Influencer
‎02-01-2019 06:37 AM

you can create 2 lookup tables, one for each table. Then, you can merge them and compare for count>1

|inputlookup table1.csv | table MSIDN | outputlookup append=t table2.csv | stats count by MSIDN |where count > 1

So, if you have values more than 1, that means, that MSIDN is appearing in both the tables.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎02-01-2019 04:58 AM

@mandarpim

Are you looking for this?

YOUR_TABLE1_SEARCH  [ YOUR_TABLE2_SEARCH  | return Table1 value ]

Sample Search

| makeresults | eval _raw="
Table1  value
msisdn1 10
msisdn2 40
msisdn3 30
msisdn5 40
" | multikv | search [| makeresults | eval _raw="
Table1  value
msisdn2 40
msisdn4 80
" | multikv | return Table1 value ]
0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎01-31-2019 10:48 PM

@mandarpim: Are you looking something like this:
| makeresults | eval msd="12"
| append [| makeresults | eval msd="13"]
| append [| makeresults | eval msd="14"]
| append [| makeresults | eval msd="12"]
| fields - _time
|join max=0 msd [ | makeresults | eval msd="10"
| append [| makeresults | eval msd="14"]
| append [| makeresults | eval msd="14"]
| append [| makeresults | eval msd="14"]]

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎01-31-2019 11:31 AM

@mandarpim in the above example, is the desired result will be all the items as the arent "equal" on their perspective table location OR only msisdn 2 4 and 5?

0 Karma
Reply
Solved! Jump to solution

mandarpim
New Member
‎02-01-2019 04:36 AM

The final result should be in separate table with a flag found or not-found.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...