Hello,
Working with Splunk 7.3.2.
I have two multivalues that have a set of values in common:
| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| makemv A delim=","
| makemv B delim=","
In this case the common values are d, h, j
. What I'd like to do is create a new multivalue containing those values. The following search gets the job done, but it seems like a terrible way of doing so:
| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| makemv A delim=","
| makemv B delim=","
| eval C = mvappend(A,B)
| table C
| mvexpand C
| eventstats count by C
| where count > 1
| dedup C
| stats values(C) as C
Can somebody give me some pointers/suggestions on how to make it more elegant and less resource consuming?
Thanks!
Andrew
Hi
Check this
| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| makemv A delim=","
| makemv B delim=","
| eval C = mvappend(A,B)
| stats count by C
| where count >1
| fields - count
or
| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| makemv A delim=","
| makemv B delim=","
| eval C = mvappend(A,B)
| stats count by C
| where count >1
| mvcombine delim="," C
| nomv C
| table C
| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| eval C=split(A.",".B,",")
| stats count by C
| stats values(eval(if(count>1,C,NULL))) as C delim=","
| nomv C
This is the same way.