Solved: Re: match values in same fields

perryd · ‎05-09-2019

Hi, i would match two field, exactly:
field1 - field2
1 - Empty
1 - Empty
1 - Empty
Empty - 2
Empty - 2

Empty - 2

It's possible sort the values in order to obtain this?:
field1 - field2
1 - 2
1 - 2
1 - 2

woodcock · ‎05-11-2019

My other answer answered the question that you actually asked, but given your clarification comment, what you actually need is this:

... | stats values(*) AS * BY FIELD1

View solution in original post

woodcock · ‎05-11-2019

My other answer answered the question that you actually asked, but given your clarification comment, what you actually need is this:

... | stats values(*) AS * BY FIELD1

perryd · ‎05-12-2019

the problem is that i've about 11000 row and i can't calculate " eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4"
there is some function that do it automatically?

woodcock · ‎05-13-2019

Did you even try my solution? It handles variable number/names of fields dynamically.

perryd · ‎05-13-2019

i don't know what put in the row "| eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4".
You say me that it is dynamic, but what i write? I've need to use two fields and 11000 row...
maybe i'm not understand, i'm sorry.

woodcock · ‎05-13-2019

Forget my other answer entirely. Take your existing search (everything up to the first pipe) and add this answer to the bottom of that. Done.

woodcock · ‎05-11-2019

Like this:

| makeresults 
| eval raw="field1=A field1=B field1=C field1=D field2=1 field2=2 field2=3 field2=4"
| makemv raw
| mvexpand raw
| rename raw AS _raw
| kv
| table field*

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| streamstats count(field1) AS F1 count(field2) AS F2
| foreach F* [ eval <<FIELD>> = if(isnull(field<<MATCHSTR>>), null(), <<FIELD>>) ]
| eval _F=coalesce(F1, F2)
| fields - F*
| selfjoin _F

somesoni2 · ‎05-09-2019

Would need more information regarding what you wish to achieve here. From where did the current output is coming, as a result of a search or from raw data directly? Will there always be same number of rows for each field which has values?

perryd · ‎05-09-2019

So, my number of row its variable. My data its in a unique index. You can image one index with 3 fields:
FIELD1 - FIELD2 - FIELD3
Hostname1 - values - null()
Hostname2 - values - null()
Hostname3 - values - null()
Hostname4 - values - null()
.................... - ................ - ...........
HostnameN - values - null()
Hostname1 - null() - values

Hostname2 - null() - values

Hostname3 - null() - values

Hostname4 - null() - values

.................... - ................ - ...........

HostnameN - null() - values

What i wont is a match for values in field2 with values in field3. My key is Field 1. My search result should look like this:
FIELD1 - FIELD2 - FIELD3
Hostname1 - values - values

Hostname2 - values - values

Hostname3 - values - values

Hostname4 - values - values

.................... - ................ - ...............
Hostnamen - values - values

match values in same fields

Empty - 2

HostnameN - null() - values

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk