Splunk Search

Using a string delimeter to compare fields

srikarbaswa446
New Member

How do I get output for the following requirement?

given a1=111,222,333,444,555
a2=111,222,444
output required is a3=333,555

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

This?

| makeresults | eval a1="111,222,333,444,555", a2="111,222,444" | makemv a1 delim="," | makemv a2 delim="," | mvexpand a1 | where isnull(mvfind(a2, a1)) | stats values(a1) as a3 | eval a3 = mvjoin(a3, ",")

DalJeanis
SplunkTrust
SplunkTrust

@martin_mueller - Very nice. Had to play with it.

Here's if you want to do double-elimination -

| makeresults | eval a1="111,222,333,444,555", a2="111,222,444,666,777" 
| table a* 
| makemv a1 delim="," | makemv a2 delim="," 
| eval killa2 = a1 | eval killa1=a2 
| mvexpand a1 | where isnull(mvfind(killa1,a1)) | mvexpand a2 | where isnull(mvfind(killa2,a2))
| stats values(a1) as a1 values(a2) as a2
| eval a1 = mvjoin(a1, ",") | eval a2 = mvjoin(a2, ",")

That will get large at O(N^2) if you have lots of survivors, though. Hmmm. Oh, cool. If you leave one of the kills as a single field, the stats itself can function as the second mvexpand.

| makeresults | eval a1="111,222,333,444,555", a2="111,222,444,666,777" | table a* 
| eval killa2 = a1 
| makemv a1 delim="," | makemv a2 delim="," 
| eval killa1=a2 
| mvexpand a1 
| where isnull(mvfind(killa1,a1)) 
| stats values(a1) as a1 by a2 killa2 
| where isnull(mvfind(killa2,a2)) 
| stats values(a2) as a2 by a1 
| eval a2 = mvjoin(a2, ",")

srikarbaswa446
New Member

Hi Martin,

There is small correction in my question .Actually I had list of values where I got a output of two lists contain values for example as below and I need a unique value in new list as below:
scsv = 1234 5678 8901 8520
sno = 1234 8901 8520
uncmn= 5678
I need a value which is not present in sno when compared with scsv,as scsv in my data has all values in list and sno contains only few values which are present in scsv.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@srikarbaswa446 - you already have the answer from martin. scsv is a1, sno is a2, uncmn is a3.

 your query here 
| stats values(scsv) as a1 values(sno) as a2
| mvexpand a1 
| where isnull(mvfind(a2, a1)) 
| stats values(a1) as uncmn 
| eval uncmn = mvjoin(uncmn, ",")

That version assumes that each value of scsv and sno is in a different event record. If, instead, they are together in a single record with spaces between them, as you presented them, then replace the first two lines with..

 your query here 
| eval a1= scsv     | makemv a1  
| eval a2=sno      | makemv a2  
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...