Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Return value based on another field using a muilti-value field

pyroman26
New Member
‎10-21-2019 01:57 PM

Here is my data in the table:

Index Field1 Field2
1 0 A,B,C
1 -5 D,E,F
1 -10 G,H,I

I have a complex query that returns a single row of data that includes index, field1 (as a multi-value field) and field2 (as a multi-value field) like:

1 0,-5,-10 A,B,C,D,E,F,G,H,I

I can get field 2 to return just one value by utilizing the min command that gives me the desired result. If I use the mvexpand field2 I limit the result to index =1, I get the below result:

1 -10, A,B,C

Looking at the data, I want the row for field2 to be the row that corresponds with the the value of the min statement. For a result of:

1, -10 G,H,I

Hope this makes sense. What I am really looking for is the query to return the value based on the value of another field knowing that I currently get have the result in a multi-value field.

0 Karma
Reply

to4kawa
Ultra Champion
‎10-21-2019 03:32 PM 
| makeresults
| eval _raw="Index Field1 Field2
1 0 A,B,C
1 -5 D,E,F
1 -10 G,H,I"
| multikv
| stats values(Field1) as Field1 values(Field2) as Field2 by Index
`comment("Up to this point is the creation of dummy data.")`
`comment("Create Table")`
| mvexpand Field2
| mvexpand Field1
| sort - Field1
| streamstats dc(Field1) as count
| eval table_tmp=Field1."#".Field2
| stats values(table_tmp) as table_tmp values(Index) as Index by count
| eval table_data=mvindex(table_tmp,count-1)
| rex field=table_data "(?<Field1>[^#]+)#(?<Field2>[^#]+)"
| fields Index Field1 Field2

Hi, It's strange when it comes from dummy data.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...