Re: how to compare a field value with next whole c...

afrinakaffrey · ‎07-24-2019

for example,

Col A Col B Col C
apple apple apple
orange apple orange
pineapple orange pineapple
grapes pineapple grapes
banana grapes null
kiwi cucumber null
mango radish null

I have a data in column A and Column B , apple in ColA should compare with whole ColB , once the data is identified should fetch the data and results in ColC

vnravikumar · ‎07-24-2019

Hi

Try this

source="dummydata.csv" host="ind1" sourcetype="csv" 
| rename "Col A" as A, "Col B" as B 
| table A,B,temp 
| stats list(A) as A,list(B) as B,list(temp) as temp 
| eval tempB=mvjoin(B,",") 
| eval AandB =mvzip(A,B,"#") 
| table AandB tempB 
| mvexpand AandB 
| eval tempAandB=split(AandB,"#") 
| eval A=mvindex(tempAandB,0),B=mvindex(tempAandB,1) 
| table A,B,tempB 
| eval C=if(in(A,'tempB'),A,null()) 
| makemv tempB delim="," 
| eval C=if(mvfind(tempB, 'A')>0,A,null()) 
| table A,B,C

Data used:

Col A,Col B
apple,apple
orange,apple
pineapple,orange
grapes,pineapple
banana,grapes
kiwi,cucumber
mango,radish

renjith_nair · ‎07-24-2019

@afrinakaffrey ,

try

your search |eventstats values(ColB) as colBList
|eval colC=if(isnotnull(mvfind(colBList,ColA )),ColA ,null())
| fields - colBList

---
What goes around comes around. If it helps, hit it with Karma 🙂

how to compare a field value with next whole column and fetch the result in next column?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases