Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

comparing multivalue fields

stevesmith08
Explorer
‎04-07-2019 12:23 PM

Good day!

I need to compare the results of a search query that contains multivalued fields.

My search query looks like this:

sourcetype = MySourceType earliest = 0 latest = now()
| eval category = if(_time>relative_time(now(), "-2h@h"), "DeviceIDnew", "DeviceIDlater")
| chart values(deviceID) by IP, category 
| eval compare = if(DeviceIDlater=DeviceIDnew, 0, 1)
| table IP, DeviceIDlater, DeviceIDnew, compare

Despite the fact that, in most cases, the comparison is correct, I noticed that in some cases there are errors.

For example:
alt text
In the example above, I mean that compare = 0 because the values DeviceIDnew contained in the field DeviceIDlater.

Could you help me, please? How it is correct to compare multi-value field?

Thank you!

Preview file
1 KB
0 Karma
Reply

harishalipaka
Motivator
‎04-08-2019 03:57 AM

@stevesmith08

try like this | eval compare = if(match(DeviceIDlater,DeviceIDnew), 0, 1)

Thanks
Harish
0 Karma
Reply

MuS
Legend
‎04-07-2019 01:59 PM

Hi stevesmith08,

If you use the field with less multi values, expand it and do the compare operation it should work just fine. Try something like this:

sourcetype = MySourceType earliest = 0 latest = now()
 | eval category = if(_time>relative_time(now(), "-2h@h"), "DeviceIDnew", "DeviceIDlater")
 | chart values(deviceID) by IP, category 
 | mvexpand DeviceIDnew
 | eval compare = if(DeviceIDlater=DeviceIDnew, 0, 1)
 | table IP, DeviceIDlater, DeviceIDnew, compare

This will work with a small set of events, if you have millions of events try this:

sourcetype = MySourceType earliest = 0 latest = now()
 | eval category = if(_time>relative_time(now(), "-2h@h"), "DeviceIDnew", "DeviceIDlater")
 | chart values(deviceID) by IP, category 
 | stats values(*) AS * by IP DeviceIDnew
 | eval compare = if(DeviceIDlater=DeviceIDnew, 0, 1)
 | table IP, DeviceIDlater, DeviceIDnew, compare

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...