Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What's the easiest way to return a multivalue result containing the values that are present in two multivalues?

andrewtrobec
Motivator
‎02-04-2020 05:36 AM

Hello,

Working with Splunk 7.3.2.

I have two multivalues that have a set of values in common:

| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| makemv A delim=","
| makemv B delim=","

In this case the common values are d, h, j. What I'd like to do is create a new multivalue containing those values. The following search gets the job done, but it seems like a terrible way of doing so:

| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| makemv A delim=","
| makemv B delim=","
| eval C = mvappend(A,B)
| table C
| mvexpand C
| eventstats count by C
| where count > 1
| dedup C
| stats values(C) as C

Can somebody give me some pointers/suggestions on how to make it more elegant and less resource consuming?

Thanks!

Andrew

0 Karma
Reply

vnravikumar
Champion
‎02-04-2020 07:36 AM

Hi

Check this

| makeresults 
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z" 
| table A B 
| makemv A delim="," 
| makemv B delim="," 
| eval C = mvappend(A,B) 
| stats count by C 
| where count >1 
| fields - count

or

| makeresults 
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z" 
| table A B 
| makemv A delim="," 
| makemv B delim="," 
| eval C = mvappend(A,B) 
| stats count by C 
| where count >1 
| mvcombine delim="," C 
| nomv C 
| table C
Reply

to4kawa
Ultra Champion
‎02-09-2020 03:21 AM 
| makeresults 
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z" 
| table A B
| eval C=split(A.",".B,",")
| stats count by C
| stats values(eval(if(count>1,C,NULL))) as C delim=","
| nomv C

This is the same way.

Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...