Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find common and distinct data from two datasets?

maverick27
Explorer
‎01-31-2024 10:26 PM

Hi @ITWhisperer ,

I have two datasets from two search queries. I need to fetch the common as well as distinct values from both the datasets in the final result. 

Something like this:

Field1Field2Result
121
342
563
784
9105
10 6
  7
  8
  9
  10

 

Can you please help with the query?

Labels (1)
Labels
0 Karma
Reply

maverick27
Explorer
‎02-01-2024 04:32 AM

May be I wasn't clear with my requirement. Apologies guys!

Let me give you an example as to what I'm trying to do. 

1st search contains the following data:

Field1DEPTUID
1AccountsAA
3HRCC
5OpsEE
7TechGG
9OpsII
10TechJJ
11HRKK

 

2nd search contains the following data:

Field2REGION
2NA
4TY
6HK
8AS
10EU
11AS

 

Now, I need to get common as well as disctinct rows from both the tables as shown below:

ResultDEPTUIDREGION
1AccountsAA 
2  NA
3HRCC 
4  TY
5OpsEE 
6  HK
7TechGG 
8  AS
9OpsII 
10TechJJEU
11HRKKAS
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-01-2024 05:50 AM 
(search1) OR (search2)
| stats values(*) as * by Field1

If they are bigger complex searches, you'd need to use append instead of simple OR for conditions but then you have to watch for limits for subsearches.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-01-2024 05:42 AM

hi @maverick27 ,

you have to expend my search:

index=index1 OR index=index2
| eval Result=coalesce(field1, field2)
| table Result DEPT UID REGION

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-01-2024 05:44 AM

More like this

index=index1 OR index=index2
| eval Result=coalesce(field1, field2)
| stats values(*) as * by Result
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-01-2024 01:44 AM

It looks like @gcusello has provided a good answer - It is probably best not to call out individuals when first posing a question; we are all volunteers here and you don't know when the requested volunteer is going to be available, and others may feel that they shouldn't answer when the question is directed to particular volunteers (do you not value others' contributions?)

Reply

maverick27
Explorer
‎02-01-2024 01:56 AM

Totally agree. I value everyone's contribution and restricting my question only to a certain individual will only delay or prolong the process. Apologies for that. This won't be repeated. Let me try @gcusello's solution and get back! Thanks guys!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 11:11 PM

And you have those results in multivalued fields? In separate result rows?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-31-2024 10:57 PM

Hi @maverick27 ,

you could use eval coalesce, something like this:

index=index1 OR index=index2
| eval new_field=coalesce(field1, field2)
| table new_field

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...