Splunk Search

Union of two fields

Path Finder

I have a query that produces results that has two columns :

| field1 | field2 | 

Field1 & Field2 have same domain, i.e. takes same set of values. I need to find out Union of the distinct values from both fields.

Any ideas?

Tags (2)
0 Karma
1 Solution

Motivator

Something like this:

...your search...
| stats values(field1) as f1values values(field2) as f2values 
| eval allvalues=mvdedup(mvappend(f1values,f2values))

ought to work.

View solution in original post

Path Finder

HI
I propose this

Index=…  field1=*|table field1|append[search  index=…  field2=*|table field2]| eval allvalues=mvappend(field1,field2)|dedup allvalues |table field1 field2 allvalues |sort allvalues
0 Karma

SplunkTrust
SplunkTrust

It's not clear what you want the output to be. This will show all the combinations of field1 and field2 in your data.

<your search> | dedup field1 field2 | ...
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Motivator

Something like this:

...your search...
| stats values(field1) as f1values values(field2) as f2values 
| eval allvalues=mvdedup(mvappend(f1values,f2values))

ought to work.

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!