Hi,
Let's say we have 2 multivalue fields
Field1={a,b,c,d}
Field2={a,b,c,d,e}
Is it possible to evaluate the difference between these fields and display the additional value of Field2? So that Field3={e}
Best regards,
Heinz
Let me know what you think of the strategy:
| makeresults
| eval F1="a b c"
| makemv F1
| append
[| makeresults
| eval F2="a b c d"
| makemv F2 ]
| append [ | makeresults
| eval F2_Original="a b c d"
| makemv F2_Original ]
| stats values(F1) as F1, values(F2) as F2, values(F2_Original) as F2_Original
| mvexpand F2
| eval F3=if(F2 IN(F1),"",F2)
| fields F1, F2_Original, F3
| where len(F3)>0
The given information works, but I would consider something that is more direct:
Hi @HeinzWaescher
Try this and let me know
| makeresults
| eval Field1="a,b,c,e", Field2="a,b,c,d"
| eval Field3 =mvzip(Field1,Field2)
| makemv delim="," Field3
| stats list(Field1) as Field1,list(Field2) as Field2, count by Field3
| mvcombine Field3
| eval Field3=mvjoin(Field3,",")
| where count=1
| table Field1,Field2,Field3
Let me know what you think of the strategy:
| makeresults
| eval F1="a b c"
| makemv F1
| append
[| makeresults
| eval F2="a b c d"
| makemv F2 ]
| append [ | makeresults
| eval F2_Original="a b c d"
| makemv F2_Original ]
| stats values(F1) as F1, values(F2) as F2, values(F2_Original) as F2_Original
| mvexpand F2
| eval F3=if(F2 IN(F1),"",F2)
| fields F1, F2_Original, F3
| where len(F3)>0
Works pretty fine! Thanks