Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: I have 2 mvfields, how to extract values that ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel like this should be a simple solution but I can't find it. So my search gives values that were present from a group both yesterday and today, but I want to extract those that are not present both days. My search is currently doing this:
|
Group |
Values_ |
Values_ |
Count_ |
Count_ |
change |
|
a |
111 333 444 555 |
111 222 333 444 555 |
4 |
5 |
-1 |
|
b |
111 222 333 |
111 222 333 |
3 |
3 |
0 |
|
c |
111 |
111 |
4 |
6 |
-2 |
|
d |
111 |
111 |
3 |
2 |
+1 |
Here is the desired output:
|
Group |
Values_ |
Values_ |
Count_ |
Count_ |
change |
Missing_from_ |
Missing_from_ |
|
a |
111 333 444 555 |
111 222 333 444 555 |
4 |
5 |
-1 |
222 |
|
|
b |
111 222 333 |
111 222 333 |
3 |
3 |
0 |
|
|
|
c |
111 |
111 |
4 |
6 |
-2 |
444 |
|
|
d |
111 |
111 |
3 |
2 |
+1 |
|
333 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| eval missing_today = mvmap(Values_yesterday, if(in(Values_yesterday, Values_today), null(), Values_yesterday))
| eval missing_yesterday = mvmap(Values_today, if(in(Values_today, Values_yesterday), null(), Values_today))
We can't use mvfilter here because you cannot reference multiple fields in mvfilter.
Given that you specifically need to know what's missing from yesterday and what's missing from today (as opposed to what's missing from either of the two days) I think two separate mvmaps will be the best solution as oppsosed to using mvappend and working out what's not duplicated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| eval missing_today = mvmap(Values_yesterday, if(in(Values_yesterday, Values_today), null(), Values_yesterday))
| eval missing_yesterday = mvmap(Values_today, if(in(Values_today, Values_yesterday), null(), Values_today))
We can't use mvfilter here because you cannot reference multiple fields in mvfilter.
Given that you specifically need to know what's missing from yesterday and what's missing from today (as opposed to what's missing from either of the two days) I think two separate mvmaps will be the best solution as oppsosed to using mvappend and working out what's not duplicated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I was trying to go down a completely different path, but this does exactly what I needed. Thanks
Splunk Search APIを使えば調査過程が残せます
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
