Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problems Comparing Multivalue Fields

Beth
Engager
‎02-15-2011 02:51 PM

I am trying to compare two multivalue fields using the below search:

index="weblogic" "Dynamic Server List" | rex field=_raw "Host: (?.*).*.Secure.*.Status" max_match=10 | rex field=_raw "Host: (?.*).*.Secure.*.\d{4}\n" max_match=10 | eval DynamicCount=mvcount(DynamicHost) | replace "*'*'* Port: *" with ***:* in DynamicHost,StaticHost|eval StaticCount=mvcount(StaticHost) |streamstats count as id
|stats values(DynamicHost) as DynamicValues values(StaticHost) as StaticValues values(url) as URL by id| eval Status = if(DynamicValues != StaticValues, "NOT OK", "OK")|table URL,DynamicValues,StaticValues,Status|dedup URL,DynamicValues,StaticValues

However, there are instances where the Status is "OK" and it is obvious that the fields do not match. Since I am not allowed to use image tags yet, an example can be found here: http://www.freeimagehosting.net/uploads/d2360a43f1.png

Is there another way to compare the values of these fields that will return a Status of "NOT OK"?

Tags (1)
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 04:18 PM

This will break the events into a separate event for each value of DynamicValues and compare whether the entry in DynamicValues is in the StaticValues list:

... | makemv DynamicValues | mvexpand DynamicValues | where match(StaticValues, DynamicValues)

The above search will return every instance where a DynamicValues entry is in StaticValues. Use | mvcombine (see below) if you want to get the data back into its originally unexpanded format.

The "match" function will search a field for a RegEx, but in this case, we're searching one multivalued field (StaticValues) for the the individual entities of DynamicValues. Be sure to check the docs on makemv, so you get your field splits correct.

If you want to add the "OK" and "NOT OK" text to the list and return the events to their original format, you could do the search like this:

... | makemv DynamicValues | mvexpand DynamicValues | eval Status = if(match(StaticValues, DynamicValues), "OK", "NOT OK") | mvcombine DynamicValues

The question was originally asked here:
http://answers.splunk.com/questions/11287/comparing-multivalue-fields/11293#11293

The whole search to build the .PNG image might look something like this:

index="weblogic" "Dynamic Server List" | makemv DynamicValues | mvexpand DynamicValues | eval Status = if(match(StaticValues, DynamicValues), "OK", "NOT OK") | mvcombine DynamicValues

HTH,
Ron

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...