Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

match values in same fields

perryd
Engager
‎05-09-2019 06:36 AM

Hi, i would match two field, exactly:
field1 - field2
1 - Empty
1 - Empty
1 - Empty
Empty - 2
Empty - 2

Empty - 2

It's possible sort the values in order to obtain this?:
field1 - field2
1 - 2
1 - 2
1 - 2

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-11-2019 11:31 AM

My other answer answered the question that you actually asked, but given your clarification comment, what you actually need is this:

... | stats values(*) AS * BY FIELD1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-11-2019 11:31 AM

My other answer answered the question that you actually asked, but given your clarification comment, what you actually need is this:

... | stats values(*) AS * BY FIELD1
0 Karma
Reply
Solved! Jump to solution

perryd
Engager
‎05-12-2019 11:58 PM

the problem is that i've about 11000 row and i can't calculate " eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4"
there is some function that do it automatically?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-13-2019 12:37 PM

Did you even try my solution? It handles variable number/names of fields dynamically.

0 Karma
Reply
Solved! Jump to solution

perryd
Engager
‎05-13-2019 12:44 PM

i don't know what put in the row "| eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4".
You say me that it is dynamic, but what i write? I've need to use two fields and 11000 row...
maybe i'm not understand, i'm sorry.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-13-2019 03:28 PM

Forget my other answer entirely. Take your existing search (everything up to the first pipe) and add this answer to the bottom of that. Done.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-11-2019 11:29 AM

Like this:

| makeresults 
| eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| table field*

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| streamstats count(field1) AS F1 count(field2) AS F2
| foreach F* [ eval <<FIELD>> = if(isnull(field<<MATCHSTR>>), null(), <<FIELD>>) ]
| eval _F=coalesce(F1, F2)
| fields - F*
| selfjoin _F
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-09-2019 07:42 AM

Would need more information regarding what you wish to achieve here. From where did the current output is coming, as a result of a search or from raw data directly? Will there always be same number of rows for each field which has values?

0 Karma
Reply
Solved! Jump to solution

perryd
Engager
‎05-09-2019 08:32 AM

So, my number of row its variable. My data its in a unique index. You can image one index with 3 fields:
FIELD1 - FIELD2 - FIELD3
Hostname1 - values - null()
Hostname2 - values - null()
Hostname3 - values - null()
Hostname4 - values - null()
.................... - ................ - ...........
HostnameN - values - null()
Hostname1 - null() - values

Hostname2 - null() - values

Hostname3 - null() - values

Hostname4 - null() - values

.................... - ................ - ...........

HostnameN - null() - values

What i wont is a match for values in field2 with values in field3. My key is Field 1. My search result should look like this:
FIELD1 - FIELD2 - FIELD3
Hostname1 - values - values

Hostname2 - values - values

Hostname3 - values - values

Hostname4 - values - values

.................... - ................ - ...............
Hostnamen - values - values

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...