Getting Data In

Can I Iterate on logs and compare two logs from another source?

Lictor
New Member

Hi,

I have a report that log results for multiple IDs from 2 different SourceType. I need to find out if the report from the two sources is identical or not and find out if any of the sources have an event with id that doesn't exist in the other source.

Example:
SourceType="A"
log1: id="id1" value="Val1"
log2: id="id2" value="Val2"
log3: id="id3" value="Val3"

SourceType="B"
log1: id="id1" value="Val1"
log2: id="id2" value="Val3"
log3: id="id4" value="Val4"

I need the result to return log1 identical on two sources, log2 don't match on 2 sources, log3 only in source "A" and log4 only in source "B".

I couldn't find a way to iterate and compare in that way. Can anyone help?

0 Karma

aweitzman
Motivator

I don't understand your question. There is no "log4" in your example, so your statement log4 only in source "B" doesn't make any sense. It's not clear from your data what the relationship is between logs and ids, and what you're really comparing. Can you please restate your question?

That said, in Splunk you want to avoid thinking about things in terms of iterating if you can. @somesoni2's answer is in the direction you want to go: combine the two sources and figure out which things are the same by virtue of them being doubled up (in other words, by counting rather than comparing), and then it's just a matter of sorting out what to do with the rest of the data that doesn't match up, and adding some presentation around that.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

sourcetype=A OR sourcetype =B |eval temp=id."#".value |eventstats values(sourcetype) as vals| where mvcount(vals)=2

Lictor
New Member

Not exactly what I am looking for.
I need to find a way to look for all the ids in SourceType A (one by one) and then search for the found id in SourceType B and match the two log lines.
Need to do that for all IDs, where the ids are unknown (not a preset of ids).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...