Hello guys,
So I have struggled writing search pipeline for this senario:
I have comparing unique id(numerical value) in 3 different fields (id_1,id_2,id_3). The data looks something like:
id_1 | id_2 | id_3
1 3 4
2 4 5
3 5 6
4 6 5
4 5 3
I want to find out where all three columns have a matching value.
For example, here 4 would be a unique value that appears in all three fields.
I have run different seaches:
...|table id_1.id_2,id_3|where id_1==id_2==id_3
...|eval matchname=id_2|where id_1==matchname <-tried with 2 fields first, no result
...|table id_1, id_2|eval matchname=if(id_1==id_2,"y","n")
...|stats values(id_1) by id_2,id_3
I am new to Splunk so please excuse my lack of knowledge on the different commands. But i feel like I might be missed a big concept in Splunk Search Language.
Advance thanks for any help on this.
-New Splunk Enthusiast
This should do, starting from your initial table:
... | table id_1 id_2 id_3 | eval foo = 42 | untable foo name value | stats dc(name) as dc by value | where dc=3
That will distinct-count the field names per value, and only keep those values that occur in all three field names.