Splunk Search

What's the easiest way to return a multivalue result containing the values that are present in two multivalues?

andrewtrobec
Motivator

Hello,

Working with Splunk 7.3.2.

I have two multivalues that have a set of values in common:

| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| makemv A delim=","
| makemv B delim=","

In this case the common values are d, h, j. What I'd like to do is create a new multivalue containing those values. The following search gets the job done, but it seems like a terrible way of doing so:

| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| makemv A delim=","
| makemv B delim=","
| eval C = mvappend(A,B)
| table C
| mvexpand C
| eventstats count by C
| where count > 1
| dedup C
| stats values(C) as C

Can somebody give me some pointers/suggestions on how to make it more elegant and less resource consuming?

Thanks!

Andrew

0 Karma

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z" 
| table A B 
| makemv A delim="," 
| makemv B delim="," 
| eval C = mvappend(A,B) 
| stats count by C 
| where count >1 
| fields - count

or

| makeresults 
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z" 
| table A B 
| makemv A delim="," 
| makemv B delim="," 
| eval C = mvappend(A,B) 
| stats count by C 
| where count >1 
| mvcombine delim="," C 
| nomv C 
| table C

to4kawa
Ultra Champion
| makeresults 
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z" 
| table A B
| eval C=split(A.",".B,",")
| stats count by C
| stats values(eval(if(count>1,C,NULL))) as C delim=","
| nomv C

This is the same way.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...