Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problems Comparing Multivalue Fields

Beth
Engager
‎02-15-2011 02:51 PM

I am trying to compare two multivalue fields using the below search:

index="weblogic" "Dynamic Server List" | rex field=_raw "Host: (?.*).*.Secure.*.Status" max_match=10 | rex field=_raw "Host: (?.*).*.Secure.*.\d{4}\n" max_match=10 | eval DynamicCount=mvcount(DynamicHost) | replace "*'*'* Port: *" with ***:* in DynamicHost,StaticHost|eval StaticCount=mvcount(StaticHost) |streamstats count as id
|stats values(DynamicHost) as DynamicValues values(StaticHost) as StaticValues values(url) as URL by id| eval Status = if(DynamicValues != StaticValues, "NOT OK", "OK")|table URL,DynamicValues,StaticValues,Status|dedup URL,DynamicValues,StaticValues

However, there are instances where the Status is "OK" and it is obvious that the fields do not match. Since I am not allowed to use image tags yet, an example can be found here: http://www.freeimagehosting.net/uploads/d2360a43f1.png

Is there another way to compare the values of these fields that will return a Status of "NOT OK"?

Tags (1)
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 04:18 PM

This will break the events into a separate event for each value of DynamicValues and compare whether the entry in DynamicValues is in the StaticValues list:

... | makemv DynamicValues | mvexpand DynamicValues | where match(StaticValues, DynamicValues)

The above search will return every instance where a DynamicValues entry is in StaticValues. Use | mvcombine (see below) if you want to get the data back into its originally unexpanded format.

The "match" function will search a field for a RegEx, but in this case, we're searching one multivalued field (StaticValues) for the the individual entities of DynamicValues. Be sure to check the docs on makemv, so you get your field splits correct.

If you want to add the "OK" and "NOT OK" text to the list and return the events to their original format, you could do the search like this:

... | makemv DynamicValues | mvexpand DynamicValues | eval Status = if(match(StaticValues, DynamicValues), "OK", "NOT OK") | mvcombine DynamicValues

The question was originally asked here:
http://answers.splunk.com/questions/11287/comparing-multivalue-fields/11293#11293

The whole search to build the .PNG image might look something like this:

index="weblogic" "Dynamic Server List" | makemv DynamicValues | mvexpand DynamicValues | eval Status = if(match(StaticValues, DynamicValues), "OK", "NOT OK") | mvcombine DynamicValues

HTH,
Ron

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...