Solved: How to extract common values from a multi-value fi...

ashishdhinwa · ‎05-31-2022

Hi All,

I have a multi-value field as shown below-

_time	field_test
2022-05-13 04:36:00	test_data_1
	test_data_2
	test_data_3
	test_data_4
2022-05-13 03:30:00	test_data_9
	test_data_10
	test_data_3
	test_data_4

For the above two events, I am trying to write a query which can provide me the common values such that result is-

test_data_3

test_data_4

Please help me on how can I accomplish it?

ITWhisperer · ‎05-31-2022

| stats count by field_test
| where count > 1

View solution in original post

VatsalJagani · ‎05-31-2022

@ashishdhinwa - You can try something like

<your query>
| eventstats dc(_time) as total_count
| mvexpand field_test
| stats count, last(total_count) as total_count by field_test
| where field_test>=total_count
| fields field_test

This should provide values that are common for all the _time field values (present in all events).

Hope this helps!!!

ITWhisperer · ‎05-31-2022

| stats count by field_test
| where count > 1

ashishdhinwa · ‎06-07-2022

Thanks! This works 🙂

How to extract common values from a multi-value field for different event times.

field extraction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!