Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to merge two fields and remove values that are identical in both?

karthik4455
Explorer
‎09-10-2014 05:59 AM

Escalated_Tickets Resolved_Tickets
4334
3453
5545
8438
7565
8948
8877
4675
9868
4334
3453
5568
5545
8438
6932
7565
8948
8877
1258
6589
4675
9868
What I need is the below output.
Tickets
5568
6932
1258
6589

Single output which will remove entries that are identical in Escalated_Tickets & Resolved_Tickets

Tags (2)
0 Karma
Reply

chris
Motivator
‎09-10-2014 06:25 AM

--- Updated (thanks aweitzman) ---

I am assuming that every line in your question is an event. You cant try this:

basesarch | eval ticket_id=coalesce(Escalated_Tickets,Resolved_Tickets) |  eval marker=case(isnull(Escalated_Tickets), "Resolved",isnull(Resolved_Ticket), "Escalated") | stats count dc(marker) as markers values(marker) by ticket_id  | where markers<2
  • The first eval will make sure that you have the same field name for your ticket ids
  • The marker eval will make sure, that if the same ticket is escalated or resolved multiple times it will not disappear

This might give you an idea for a solution:
http://blogs.splunk.com/2011/01/11/maintaining-state-of-the-union/

Chris

Reply

chris
Motivator
‎09-10-2014 07:25 AM

I updated the answer

0 Karma
Reply

chris
Motivator
‎09-10-2014 07:16 AM

Ouch I didn't think about that you're right

0 Karma
Reply

aweitzman
Motivator
‎09-10-2014 07:05 AM

I don't think this is quite good enough, since it won't handle the case where there is more than one anomalous Resolved_Tickets number of the same value. In other words, if "6932" was instead "6589" these searches would eliminate them both.

I think the solution might involve writing subsearches to retrieve each column separately, and then using set diff to come up with the difference between the two. Not ideal from a performance perspective, but it should be more accurate.

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...