Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problems Comparing Multivalue Fields

Beth
Engager
‎02-15-2011 02:51 PM

I am trying to compare two multivalue fields using the below search:

index="weblogic" "Dynamic Server List" | rex field=_raw "Host: (?.*).*.Secure.*.Status" max_match=10 | rex field=_raw "Host: (?.*).*.Secure.*.\d{4}\n" max_match=10 | eval DynamicCount=mvcount(DynamicHost) | replace "*'*'* Port: *" with ***:* in DynamicHost,StaticHost|eval StaticCount=mvcount(StaticHost) |streamstats count as id
|stats values(DynamicHost) as DynamicValues values(StaticHost) as StaticValues values(url) as URL by id| eval Status = if(DynamicValues != StaticValues, "NOT OK", "OK")|table URL,DynamicValues,StaticValues,Status|dedup URL,DynamicValues,StaticValues

However, there are instances where the Status is "OK" and it is obvious that the fields do not match. Since I am not allowed to use image tags yet, an example can be found here: http://www.freeimagehosting.net/uploads/d2360a43f1.png

Is there another way to compare the values of these fields that will return a Status of "NOT OK"?

Tags (1)
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 04:18 PM

This will break the events into a separate event for each value of DynamicValues and compare whether the entry in DynamicValues is in the StaticValues list:

... | makemv DynamicValues | mvexpand DynamicValues | where match(StaticValues, DynamicValues)

The above search will return every instance where a DynamicValues entry is in StaticValues. Use | mvcombine (see below) if you want to get the data back into its originally unexpanded format.

The "match" function will search a field for a RegEx, but in this case, we're searching one multivalued field (StaticValues) for the the individual entities of DynamicValues. Be sure to check the docs on makemv, so you get your field splits correct.

If you want to add the "OK" and "NOT OK" text to the list and return the events to their original format, you could do the search like this:

... | makemv DynamicValues | mvexpand DynamicValues | eval Status = if(match(StaticValues, DynamicValues), "OK", "NOT OK") | mvcombine DynamicValues

The question was originally asked here:
http://answers.splunk.com/questions/11287/comparing-multivalue-fields/11293#11293

The whole search to build the .PNG image might look something like this:

index="weblogic" "Dynamic Server List" | makemv DynamicValues | mvexpand DynamicValues | eval Status = if(match(StaticValues, DynamicValues), "OK", "NOT OK") | mvcombine DynamicValues

HTH,
Ron

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...