Comments and answers for "Using a string delimeter to compare fields"
https://answers.splunk.com/answers/561124/using-a-string-delimeter-to-compare-fields.html
The latest comments and answers for the question "Using a string delimeter to compare fields"Comment by DalJeanis on DalJeanis's comment
https://answers.splunk.com/comments/562386/view.html
@srikarbaswa446 - you already have the answer from martin. scsv is a1, sno is a2, uncmn is a3.
your query here
| stats values(scsv) as a1 values(sno) as a2
| mvexpand a1
| where isnull(mvfind(a2, a1))
| stats values(a1) as uncmn
| eval uncmn = mvjoin(uncmn, ",")
That version assumes that each value of scsv and sno is in a different event record. If, instead, they are together in a single record with spaces between them, as you presented them, then replace the first two lines with..
your query here
| eval a1= scsv | makemv a1
| eval a2=sno | makemv a2Thu, 10 Aug 2017 17:22:11 GMTDalJeanisComment by srikarbaswa446 on srikarbaswa446's comment
https://answers.splunk.com/comments/561792/view.html
Hi Martin,
There is small correction in my question .Actually I had list of values where I got a output of two lists contain values for example as below and I need a unique value in new list as below:
scsv = 1234 5678 8901 8520
sno = 1234 8901 8520
uncmn= 5678
I need a value which is not present in sno when compared with scsv,as scsv in my data has all values in list and sno contains only few values which are present in scsv.Thu, 10 Aug 2017 07:15:23 GMTsrikarbaswa446Comment by DalJeanis on DalJeanis's answer
https://answers.splunk.com/comments/561163/view.html
@martin_mueller - Very nice. Had to play with it.
Here's if you want to do double-elimination -
| makeresults | eval a1="111,222,333,444,555", a2="111,222,444,666,777"
| table a*
| makemv a1 delim="," | makemv a2 delim=","
| eval killa2 = a1 | eval killa1=a2
| mvexpand a1 | where isnull(mvfind(killa1,a1)) | mvexpand a2 | where isnull(mvfind(killa2,a2))
| stats values(a1) as a1 values(a2) as a2
| eval a1 = mvjoin(a1, ",") | eval a2 = mvjoin(a2, ",")
That will get large at O(N^2) if you have lots of survivors, though. Hmmm. Oh, cool. If you leave one of the kills as a single field, the `stats` itself can function as the second `mvexpand`.
| makeresults | eval a1="111,222,333,444,555", a2="111,222,444,666,777" | table a*
| eval killa2 = a1
| makemv a1 delim="," | makemv a2 delim=","
| eval killa1=a2
| mvexpand a1
| where isnull(mvfind(killa1,a1))
| stats values(a1) as a1 by a2 killa2
| where isnull(mvfind(killa2,a2))
| stats values(a2) as a2 by a1
| eval a2 = mvjoin(a2, ",")Wed, 09 Aug 2017 14:29:26 GMTDalJeanisAnswer by martin_mueller
https://answers.splunk.com/answering/561139/view.html
This?
| makeresults | eval a1="111,222,333,444,555", a2="111,222,444" | makemv a1 delim="," | makemv a2 delim="," | mvexpand a1 | where isnull(mvfind(a2, a1)) | stats values(a1) as a3 | eval a3 = mvjoin(a3, ",")Wed, 09 Aug 2017 13:07:25 GMTmartin_mueller