Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

compare two multivalue fields to get unique values in a third field

architkhanna
Path Finder
‎08-13-2020 11:38 PM

I have 2 multivalue collumns like below,giving two rows for example:

Collumn 1      collumn 2
A                           A
B                           C
C


A                            A
B                            B
A
C
C


i want a third column like this(having values of collumn1 which are in collumn 2)

Collumn 1      collumn 2        collumn 3
A                           A                                 A
B                           C                                 C
C


A                            A                                 A
B                            B                                 B
A                                                                A
C
C
 
Please note,Collumn 1 can be empty also.

Thanks in Advance.

Labels (2)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎08-14-2020 12:00 AM

| makeresults
| eval Col1=split("ABC",""),Col2=split("AC","")
| appendpipe [eval Col1=split("ABACC",""), Col2=split("AB","")]
| streamstats count as session
| mvexpand Col1
| eval result=if(match(Col2,Col1),Col1,NULL)
| stats list(Col1) as Col1 values(Col2) as Col2 list(result) as result by session
| fields - session

0 Karma
Reply

architkhanna
Path Finder
‎08-14-2020 12:05 AM

I am trying not to use mvexapnd in splunk8
Also I cannot use "makeresult" command since it has to be the first command in my search,which in my case is not.

0 Karma
Reply

to4kawa
Ultra Champion
‎08-14-2020 12:07 AM

I don't know what your query is.
It's a query that everyone can do.

0 Karma
Reply

architkhanna
Path Finder
‎08-14-2020 12:09 AM

Query is what I have asked for and the sample values I have provided.
If you can understand well and good ,else Thanks for your time.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...