What's the easiest way to return a multivalue resu...

andrewtrobec · ‎02-04-2020

Hello,

Working with Splunk 7.3.2.

I have two multivalues that have a set of values in common:

| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| makemv A delim=","
| makemv B delim=","

In this case the common values are d, h, j. What I'd like to do is create a new multivalue containing those values. The following search gets the job done, but it seems like a terrible way of doing so:

| makeresults
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z"
| table A B
| makemv A delim=","
| makemv B delim=","
| eval C = mvappend(A,B)
| table C
| mvexpand C
| eventstats count by C
| where count > 1
| dedup C
| stats values(C) as C

Can somebody give me some pointers/suggestions on how to make it more elegant and less resource consuming?

Thanks!

Andrew

vnravikumar · ‎02-04-2020

Hi

Check this

| makeresults 
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z" 
| table A B 
| makemv A delim="," 
| makemv B delim="," 
| eval C = mvappend(A,B) 
| stats count by C 
| where count >1 
| fields - count

or

| makeresults 
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z" 
| table A B 
| makemv A delim="," 
| makemv B delim="," 
| eval C = mvappend(A,B) 
| stats count by C 
| where count >1 
| mvcombine delim="," C 
| nomv C 
| table C

to4kawa · ‎02-09-2020

| makeresults 
| eval A="a,b,c,d,e,f,g,h,i,j", B="d,h,j,l,o,t,z" 
| table A B
| eval C=split(A.",".B,",")
| stats count by C
| stats values(eval(if(count>1,C,NULL))) as C delim=","
| nomv C

This is the same way.

What's the easiest way to return a multivalue result containing the values that are present in two multivalues?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms