Splunk Search

How to search unique values in field1 after removing duplicates and common values found in field2?

raju4244
Explorer

Dear All,

I have one question. I have the data like below:

field1:

itema
itemb
itemb
itemc
itemd
iteme
iteme

field2:

itemc
itemd
itemd
iteme

I want to get the following in my search results:

Unique Items which are present in field1 (after removing duplicates and after removing common items present in both fields)

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

index=foo sourcetype=sourcetype1 OR sourcetype=sourcetype2 | eval commonfield=coalesce(field1,field2) | stats values(sourcetype) as sourcetypes by commonfield | where mvindex(sourcetypes)=1 AND sourcetypes="sourcetype1" | table commonfield

View solution in original post

somesoni2
Revered Legend

Try something like this

index=foo sourcetype=sourcetype1 OR sourcetype=sourcetype2 | eval commonfield=coalesce(field1,field2) | stats values(sourcetype) as sourcetypes by commonfield | where mvindex(sourcetypes)=1 AND sourcetypes="sourcetype1" | table commonfield

raju4244
Explorer

this worked after some modification, thanks to you.

ppablo
Retired

Hi @raju4244

As @martin_mueller mentioned, it'd be helpful if you could share the final search you used that worked for you. This forum isn't just for individuals, it's for the greater Splunk community at large 🙂

martin_mueller
SplunkTrust
SplunkTrust

Do post what you modified for others to use.

richgalloway
SplunkTrust
SplunkTrust

Try this:

index=foo sourcetype=baz | dedup field2 | eval fieldc=field2 | join fieldc [ search index=foo sourcetype=bar | dedup field1 | eval fieldc=field1] | table field1
---
If this reply helps you, Karma would be appreciated.
0 Karma

raju4244
Explorer

it is only listing common items, not an unique items present in field1

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Then I gave you the wrong join type. Try ... | join type=left fieldc [ search index=foo sourcetype=bar | dedup field1 |....

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are both fields present in the same event or are they in different events?

---
If this reply helps you, Karma would be appreciated.
0 Karma

raju4244
Explorer

They are from different sourcetype, i m trying to club them into one list.

Thanks.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...