Splunk Search

need difference from multivalue table column

secure
Path Finder

i have a list of hostnames being generated from left join for different application in multivalue table column

APP1hostname1hostnames2
appdelta

syzhost.domain1

abchost.domain1

egfhost.domain1

syzhost.domain1

abchost.domain1

  

 

what i need is a column with  just egfhostdomain1 in a separete column just showing the diff of the list

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| foreach hostname1 mode=multivalue
    [| eval diff=if(mvfind(hostnames2,<<ITEM>>)>=0,diff,mvappend(diff,<<ITEM>>))]

View solution in original post

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @secure 

Might not be perfect, but does this work?

| makeresults 
| eval APP1="appdelta", list1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),list2=mvappend("syzhost.domain1","abchost.domain1") 
| fields - _time
|stats values(list2) as list2 by list1
| foreach list2 mode=multivalue [|eval notInList=IF(<<ITEM>>==list1,<<ITEM>>,null())]
| stats values(notInList)

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma

secure
Path Finder

@livehybrid 

tried your solution its not working

secure_0-1742491600261.png

i was able to resolve this using 

| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time
| eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1)))
| table APP1,hostname1,hostname2,match

but now i have a additional issue for some hostnames is "no hosts" in that case also its just giving me 1 hostname 

| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=("")
| fields - _time
| eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1)))
| table APP1,hostname1,hostname2,match

secure_1-1742491812770.png

which is not right 

 

0 Karma

secure
Path Finder

This worked for me 
| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time
| eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1)))
| table APP1,hostname1,hostname2,match

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| foreach hostname1 mode=multivalue
    [| eval diff=if(mvfind(hostnames2,<<ITEM>>)>=0,diff,mvappend(diff,<<ITEM>>))]
0 Karma

secure
Path Finder

@ITWhisperer 

i tried the query not getting the output

| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time
| foreach hostname1 mode=multivalue
[| eval diff=if(mvfind(hostnames2,<<ITEM>>)>=0,diff,mvappend(diff,<<ITEM>>))]
| table APP1,hostname1,hostname2,diff

what i need in the diff column is egfhost.domain1

 

 

secure_0-1742487519481.png

 

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @secure 

I noticed another reply on your other question similar to this pointed towards using "MVDiff Add-on For Splunk" which might help avoid some complex SPL searches.

Shamelessly pinching @VatsalJagani image from the last reply

livehybrid_1-1742497802505.png

 

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your original post used hostnames2 which I used in my suggestion. In your second post, you used hostname2 which is not the same field. Please retry with the correct field names.

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...