how to compare a field value with next whole colum...

afrinakaffrey · ‎07-24-2019

for example,

Col A Col B Col C
apple apple apple
orange apple orange
pineapple orange pineapple
grapes pineapple grapes
banana grapes null
kiwi cucumber null
mango radish null

I have a data in column A and Column B , apple in ColA should compare with whole ColB , once the data is identified should fetch the data and results in ColC

vnravikumar · ‎07-24-2019

Hi

Try this

source="dummydata.csv" host="ind1" sourcetype="csv" 
| rename "Col A" as A, "Col B" as B 
| table A,B,temp 
| stats list(A) as A,list(B) as B,list(temp) as temp 
| eval tempB=mvjoin(B,",") 
| eval AandB =mvzip(A,B,"#") 
| table AandB tempB 
| mvexpand AandB 
| eval tempAandB=split(AandB,"#") 
| eval A=mvindex(tempAandB,0),B=mvindex(tempAandB,1) 
| table A,B,tempB 
| eval C=if(in(A,'tempB'),A,null()) 
| makemv tempB delim="," 
| eval C=if(mvfind(tempB, 'A')>0,A,null()) 
| table A,B,C

Data used:

Col A,Col B
apple,apple
orange,apple
pineapple,orange
grapes,pineapple
banana,grapes
kiwi,cucumber
mango,radish

renjith_nair · ‎07-24-2019

@afrinakaffrey ,

try

your search |eventstats values(ColB) as colBList
|eval colC=if(isnotnull(mvfind(colBList,ColA )),ColA ,null())
| fields - colBList

---
What goes around comes around. If it helps, hit it with Karma 🙂

how to compare a field value with next whole column and fetch the result in next column?

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel