i have a list of hostnames being generated from left join for different application in multivalue table column
APP1 | hostname1 | hostnames2 |
appdelta | syzhost.domain1 abchost.domain1 egfhost.domain1 | syzhost.domain1 abchost.domain1 |
what i need is a column with just egfhostdomain1 in a separete column just showing the diff of the list
| foreach hostname1 mode=multivalue
[| eval diff=if(mvfind(hostnames2,<<ITEM>>)>=0,diff,mvappend(diff,<<ITEM>>))]
Hi @secure
Might not be perfect, but does this work?
| makeresults
| eval APP1="appdelta", list1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),list2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time
|stats values(list2) as list2 by list1
| foreach list2 mode=multivalue [|eval notInList=IF(<<ITEM>>==list1,<<ITEM>>,null())]
| stats values(notInList)
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
tried your solution its not working
i was able to resolve this using
| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time
| eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1)))
| table APP1,hostname1,hostname2,match
but now i have a additional issue for some hostnames is "no hosts" in that case also its just giving me 1 hostname
| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=("")
| fields - _time
| eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1)))
| table APP1,hostname1,hostname2,match
which is not right
This worked for me
| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time
| eval match=max(mvmap(hostname1, if(isnotnull(mvfind(hostname2, hostname1)), 1, hostname1)))
| table APP1,hostname1,hostname2,match
| foreach hostname1 mode=multivalue
[| eval diff=if(mvfind(hostnames2,<<ITEM>>)>=0,diff,mvappend(diff,<<ITEM>>))]
i tried the query not getting the output
| makeresults
| eval APP1="appdelta", hostname1= mvappend("syzhost.domain1","abchost.domain1","egfhost.domain1"),hostname2=mvappend("syzhost.domain1","abchost.domain1")
| fields - _time
| foreach hostname1 mode=multivalue
[| eval diff=if(mvfind(hostnames2,<<ITEM>>)>=0,diff,mvappend(diff,<<ITEM>>))]
| table APP1,hostname1,hostname2,diff
what i need in the diff column is egfhost.domain1
Hi @secure
I noticed another reply on your other question similar to this pointed towards using "MVDiff Add-on For Splunk" which might help avoid some complex SPL searches.
Shamelessly pinching @VatsalJagani image from the last reply
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
Your original post used hostnames2 which I used in my suggestion. In your second post, you used hostname2 which is not the same field. Please retry with the correct field names.