Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- match values in same fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perryd
Engager
05-09-2019
06:36 AM
Hi, i would match two field, exactly:
field1 - field2
1 - Empty
1 - Empty
1 - Empty
Empty - 2
Empty - 2
Empty - 2
It's possible sort the values in order to obtain this?:
field1 - field2
1 - 2
1 - 2
1 - 2
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-11-2019
11:31 AM
My other answer answered the question that you actually asked, but given your clarification comment, what you actually need is this:
... | stats values(*) AS * BY FIELD1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-11-2019
11:31 AM
My other answer answered the question that you actually asked, but given your clarification comment, what you actually need is this:
... | stats values(*) AS * BY FIELD1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perryd
Engager
05-12-2019
11:58 PM
the problem is that i've about 11000 row and i can't calculate " eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4"
there is some function that do it automatically?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-13-2019
12:37 PM
Did you even try my solution? It handles variable number/names of fields dynamically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perryd
Engager
05-13-2019
12:44 PM
i don't know what put in the row "| eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4".
You say me that it is dynamic, but what i write? I've need to use two fields and 11000 row...
maybe i'm not understand, i'm sorry.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-13-2019
03:28 PM
Forget my other answer entirely. Take your existing search (everything up to the first pipe) and add this answer to the bottom of that. Done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-11-2019
11:29 AM
Like this:
| makeresults
| eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| table field*
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| streamstats count(field1) AS F1 count(field2) AS F2
| foreach F* [ eval <<FIELD>> = if(isnull(field<<MATCHSTR>>), null(), <<FIELD>>) ]
| eval _F=coalesce(F1, F2)
| fields - F*
| selfjoin _F
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-09-2019
07:42 AM
Would need more information regarding what you wish to achieve here. From where did the current output is coming, as a result of a search or from raw data directly? Will there always be same number of rows for each field which has values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perryd
Engager
05-09-2019
08:32 AM
So, my number of row its variable. My data its in a unique index. You can image one index with 3 fields:
FIELD1 - FIELD2 - FIELD3
Hostname1 - values - null()
Hostname2 - values - null()
Hostname3 - values - null()
Hostname4 - values - null()
.................... - ................ - ...........
HostnameN - values - null()
Hostname1 - null() - values
Hostname2 - null() - values
Hostname3 - null() - values
Hostname4 - null() - values
.................... - ................ - ...........
HostnameN - null() - values
What i wont is a match for values in field2 with values in field3. My key is Field 1. My search result should look like this:
FIELD1 - FIELD2 - FIELD3
Hostname1 - values - values
Hostname2 - values - values
Hostname3 - values - values
Hostname4 - values - values
.................... - ................ - ...............
Hostnamen - values - values
Get Updates on the Splunk Community!
Introducing the Splunk Answers Content Calendar
Two parameters are needed for shortenTextAtSpace function: string and maxLen. Ellipsis is optional.
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
