I think you should be able to do this by using the mvmap() function. Here is the eval to return the resulting table above. ``` Eval to perform set operation against Splunk multivalue ...
See more...
I think you should be able to do this by using the mvmap() function. Here is the eval to return the resulting table above. ``` Eval to perform set operation against Splunk multivalue fields ```
| eval
new_remove_old_set_operation=case(
isnull(new_groups), null(),
mvcount(new_groups)==1, if(NOT 'new_groups'=='old_groups', 'new_groups', null()),
mvcount(new_groups)>1, mvmap(new_groups, if(NOT 'new_groups'=='old_groups', 'new_groups', null()))
) Full SPL snippet used to replicate your scenario. | makeresults
| eval
user="user1",
old_groups=mvappend(
"group1",
"group2",
"group3"
),
new_groups=mvappend(
"group1",
"group2",
"group3",
"group4",
"group5"
)
| append
[
| makeresults
| eval
user="user2",
old_groups=mvappend(
"group3",
"group4",
"group5"
),
new_groups=mvappend(
"group4",
"group5",
"group6",
"group7",
"group8"
)
]
| fields - _time
| fields + user, old_groups, new_groups
``` Eval to perform set operation against Splunk multivalue fields ```
| eval
new_remove_old_set_operation=case(
isnull(new_groups), null(),
mvcount(new_groups)==1, if(NOT 'new_groups'=='old_groups', 'new_groups', null()),
mvcount(new_groups)>1, mvmap(new_groups, if(NOT 'new_groups'=='old_groups', 'new_groups', null()))
)