Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

match values in same fields

perryd
Engager
‎05-09-2019 06:36 AM

Hi, i would match two field, exactly:
field1 - field2
1 - Empty
1 - Empty
1 - Empty
Empty - 2
Empty - 2

Empty - 2

It's possible sort the values in order to obtain this?:
field1 - field2
1 - 2
1 - 2
1 - 2

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-11-2019 11:31 AM

My other answer answered the question that you actually asked, but given your clarification comment, what you actually need is this:

... | stats values(*) AS * BY FIELD1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-11-2019 11:31 AM

My other answer answered the question that you actually asked, but given your clarification comment, what you actually need is this:

... | stats values(*) AS * BY FIELD1
0 Karma
Reply
Solved! Jump to solution

perryd
Engager
‎05-12-2019 11:58 PM

the problem is that i've about 11000 row and i can't calculate " eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4"
there is some function that do it automatically?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-13-2019 12:37 PM

Did you even try my solution? It handles variable number/names of fields dynamically.

0 Karma
Reply
Solved! Jump to solution

perryd
Engager
‎05-13-2019 12:44 PM

i don't know what put in the row "| eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4".
You say me that it is dynamic, but what i write? I've need to use two fields and 11000 row...
maybe i'm not understand, i'm sorry.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-13-2019 03:28 PM

Forget my other answer entirely. Take your existing search (everything up to the first pipe) and add this answer to the bottom of that. Done.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-11-2019 11:29 AM

Like this:

| makeresults 
| eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| table field*

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| streamstats count(field1) AS F1 count(field2) AS F2
| foreach F* [ eval <<FIELD>> = if(isnull(field<<MATCHSTR>>), null(), <<FIELD>>) ]
| eval _F=coalesce(F1, F2)
| fields - F*
| selfjoin _F
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-09-2019 07:42 AM

Would need more information regarding what you wish to achieve here. From where did the current output is coming, as a result of a search or from raw data directly? Will there always be same number of rows for each field which has values?

0 Karma
Reply
Solved! Jump to solution

perryd
Engager
‎05-09-2019 08:32 AM

So, my number of row its variable. My data its in a unique index. You can image one index with 3 fields:
FIELD1 - FIELD2 - FIELD3
Hostname1 - values - null()
Hostname2 - values - null()
Hostname3 - values - null()
Hostname4 - values - null()
.................... - ................ - ...........
HostnameN - values - null()
Hostname1 - null() - values

Hostname2 - null() - values

Hostname3 - null() - values

Hostname4 - null() - values

.................... - ................ - ...........

HostnameN - null() - values

What i wont is a match for values in field2 with values in field3. My key is Field 1. My search result should look like this:
FIELD1 - FIELD2 - FIELD3
Hostname1 - values - values

Hostname2 - values - values

Hostname3 - values - values

Hostname4 - values - values

.................... - ................ - ...............
Hostnamen - values - values

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...