Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Take latest unique values from multivalue field and the corresponding values from another multivalue field?

TalNiv
New Member
‎01-11-2023 05:48 AM

Hi, suppose I have a multi-value field which represents names, which can have different values in each event. for example:

names (ordered by time desc):
event 1: Emma, Dan, Mike
event 2: Dan, Patrick
event 3: Mike, Olivia

In addition, I have another multi-value field which represent the correspond people's grades (correspond by order):

grades (ordered by time desc):
event 1: 80, 70, 100
event 2: 90, 75
event 3: 88, 95

I would like to take for each person his last grade (i.e take all the ever seen people without duplications). My result should look like:

Emma 80
Dan 70
Mike 100
Patrick 75
Olivia 95

Labels (4)
Tags (1)
0 Karma
Reply

TalNiv
New Member
‎01-11-2023 06:55 AM

Thanks for your answer. Although this is a working solution, I wondering if there is another one, because I have a lot of events and they are very big, so mvexpand results pass the 500MB limitation. is there a solution without mvexpand?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-11-2023 07:11 AM

I created a post a while ago about ways to avoid using mvexpand

Help with mvexpand limits, one issue is the memory... - Splunk Community

This may not help if you are actually hitting a memory limit (in which case, nothing helps!)

Having said that, have you considered breaking the search up into smaller chunks (limited to 50,000 events of course) and processing the chunks each with their own mvexpand, then finding the latest for each name from the combined set?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-11-2023 06:48 AM 
| eval namegrade = mvzip(names, grades)
| mvexpand namegrade
| eval name = mvindex(split(namegrade,","),0)
| eval grade = mvindex(split(namegrade,","),1)
| stats first(grade) as grade by name
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...