Solved: Union of two fields

mohitab · ‎12-08-2014

I have a query that produces results that has two columns :

| field1 | field2 |

Field1 & Field2 have same domain, i.e. takes same set of values. I need to find out Union of the distinct values from both fields.

Any ideas?

aweitzman · ‎12-08-2014

Something like this:

...your search...
| stats values(field1) as f1values values(field2) as f2values 
| eval allvalues=mvdedup(mvappend(f1values,f2values))

ought to work.

View solution in original post

btt · ‎12-12-2014

HI
I propose this

Index=…  field1=*|table field1|append[search  index=…  field2=*|table field2]| eval allvalues=mvappend(field1,field2)|dedup allvalues |table field1 field2 allvalues |sort allvalues

richgalloway · ‎12-08-2014

It's not clear what you want the output to be. This will show all the combinations of field1 and field2 in your data.

<your search> | dedup field1 field2 | ...

---
If this reply helps you, Karma would be appreciated.

aweitzman · ‎12-08-2014

Something like this:

...your search...
| stats values(field1) as f1values values(field2) as f2values 
| eval allvalues=mvdedup(mvappend(f1values,f2values))

ought to work.

Union of two fields

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application