Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return value list from subsearch and use it in main search?

C_Sparn
Communicator
‎04-16-2014 08:42 AM

Hello,
I'm trying to return a list of values from a subsearch to compare that list to other field values in main search. It should look like this:

sourcetype=any OR sourcetype=other
|eval test =[search sourcetype=any OR sourcetype=other
|streamstats count by field1, field2
|stats values(field1) AS f1 values(field1) AS f2
|mvexpand f1
|eval status =if(match(f2,f1),"True","False")
|where status ="False"
|return f1]
|stats values(field3) as f3
|where field4 = test
|table f3

Hello,sry that my question above is a bit complicated to understand.What I want to do is this:
I'm indexing data from two different sourcetypes that have some similar data in different fields. Now I want to compare the values of two fields (field1 and field2) and check if there are some equal values and get a list of that equal values (lets call it "VALUE_LIST"). Then i want to compare other field values (from field3 and field4) of events that have one of the values from VALUE_LIST in their field1 or field2. At the end i need a table with values from VALUE_LIST, field3 and field4 where field3 and field4 are not eqaul. Thanks for the help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

C_Sparn
Communicator
‎08-14-2014 12:01 AM

Hello,
the solution for that problem was using inner join and a where clause for field 3 and 4:

sourcetype=any | eval Tickets=TicketNumber |join type=inner Tickets [search sourcetype=other | eval Tickets=TicketNumberOther] |where UserId != UserIdOther |stats values(UserId) values(UserIdOther) by Tickets

Greetings
C_Sparn

View solution in original post

Reply
Solved! Jump to solution
Solution

C_Sparn
Communicator
‎08-14-2014 12:01 AM

Hello,
the solution for that problem was using inner join and a where clause for field 3 and 4:

sourcetype=any | eval Tickets=TicketNumber |join type=inner Tickets [search sourcetype=other | eval Tickets=TicketNumberOther] |where UserId != UserIdOther |stats values(UserId) values(UserIdOther) by Tickets

Greetings
C_Sparn

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-16-2014 10:03 AM

Your stats/streamstats use is a mess, so it's futile to try to gather your requirements from the search. Do explain your use case in natural language instead.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...