Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Removing duplicates from 2 multivalue field (leaving distinct values only)

diskioinferno
Engager
‎12-13-2023 02:21 AM

I have 2 multivalue fields (old and new) containing group lists for 1 or more users. The new values is the list of groups that replace the old groups

For example:

user 1 has an old value of group1, group2, group3
user 1 has a new value of group1, group2, group3, group4, and group5
user 2 has an old value of group3, group4, group5
user 1 has a new value of group4, group5, group6, group7, and group8

I'm trying to return group4 and group5 for user and group7 and group8 for user2

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-13-2023 07:05 AM

I think you should be able to do this by using the mvmap() function.

dtburrows3_0-1702479817788.png


Here is the eval to return the resulting table above.

``` Eval to perform set operation against Splunk multivalue fields ```
    | eval
        new_remove_old_set_operation=case(
            isnull(new_groups), null(),
            mvcount(new_groups)==1, if(NOT 'new_groups'=='old_groups', 'new_groups', null()),
            mvcount(new_groups)>1, mvmap(new_groups, if(NOT 'new_groups'=='old_groups', 'new_groups', null()))
            )

 

Full SPL snippet used to replicate your scenario.

| makeresults
    | eval
        user="user1",
        old_groups=mvappend(
            "group1",
            "group2",
            "group3"
            ),
        new_groups=mvappend(
            "group1",
            "group2",
            "group3",
            "group4",
            "group5"
            )
    | append
        [
            | makeresults
                | eval
                    user="user2",
                    old_groups=mvappend(
                        "group3",
                        "group4",
                        "group5"
                        ),
                    new_groups=mvappend(
                        "group4",
                        "group5",
                        "group6",
                        "group7",
                        "group8"
                        )
            ]
    | fields - _time
    | fields + user, old_groups, new_groups
    ``` Eval to perform set operation against Splunk multivalue fields ```
    | eval
        new_remove_old_set_operation=case(
            isnull(new_groups), null(),
            mvcount(new_groups)==1, if(NOT 'new_groups'=='old_groups', 'new_groups', null()),
            mvcount(new_groups)>1, mvmap(new_groups, if(NOT 'new_groups'=='old_groups', 'new_groups', null()))
            )




View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-13-2023 07:05 AM

I think you should be able to do this by using the mvmap() function.

dtburrows3_0-1702479817788.png


Here is the eval to return the resulting table above.

``` Eval to perform set operation against Splunk multivalue fields ```
    | eval
        new_remove_old_set_operation=case(
            isnull(new_groups), null(),
            mvcount(new_groups)==1, if(NOT 'new_groups'=='old_groups', 'new_groups', null()),
            mvcount(new_groups)>1, mvmap(new_groups, if(NOT 'new_groups'=='old_groups', 'new_groups', null()))
            )

 

Full SPL snippet used to replicate your scenario.

| makeresults
    | eval
        user="user1",
        old_groups=mvappend(
            "group1",
            "group2",
            "group3"
            ),
        new_groups=mvappend(
            "group1",
            "group2",
            "group3",
            "group4",
            "group5"
            )
    | append
        [
            | makeresults
                | eval
                    user="user2",
                    old_groups=mvappend(
                        "group3",
                        "group4",
                        "group5"
                        ),
                    new_groups=mvappend(
                        "group4",
                        "group5",
                        "group6",
                        "group7",
                        "group8"
                        )
            ]
    | fields - _time
    | fields + user, old_groups, new_groups
    ``` Eval to perform set operation against Splunk multivalue fields ```
    | eval
        new_remove_old_set_operation=case(
            isnull(new_groups), null(),
            mvcount(new_groups)==1, if(NOT 'new_groups'=='old_groups', 'new_groups', null()),
            mvcount(new_groups)>1, mvmap(new_groups, if(NOT 'new_groups'=='old_groups', 'new_groups', null()))
            )




Reply
Solved! Jump to solution

diskioinferno
Engager
‎12-17-2023 06:42 PM

This worked,  thank you! I had looked at mvmap but this was not the how I was trying to use it - thanks for your help

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-13-2023 06:16 AM 
| eval groups=mvappend(old, old, new)
| stats count by user groups

Where count=3, the group exists in both old and new

Where count=2, the group exists just in old

Where count=1, the group exists just in new

Reply
Get Updates on the Splunk Community!

Insights from .conf 2025, Smart Edge Processor Scaling, and a New Splunk Lantern ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Machine Learning - Assisted Adaptive Thresholding

Let’s talk thresholding. Have you set up static thresholds? Tired of static thresholds triggering false ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...