Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I Iterate on logs and compare two logs from another source?

Lictor
New Member
‎09-30-2014 03:34 AM

Hi,

I have a report that log results for multiple IDs from 2 different SourceType. I need to find out if the report from the two sources is identical or not and find out if any of the sources have an event with id that doesn't exist in the other source.

Example:
SourceType="A"
log1: id="id1" value="Val1"
log2: id="id2" value="Val2"
log3: id="id3" value="Val3"

SourceType="B"
log1: id="id1" value="Val1"
log2: id="id2" value="Val3"
log3: id="id4" value="Val4"

I need the result to return log1 identical on two sources, log2 don't match on 2 sources, log3 only in source "A" and log4 only in source "B".

I couldn't find a way to iterate and compare in that way. Can anyone help?

0 Karma
Reply

aweitzman
Motivator
‎10-01-2014 05:57 AM

I don't understand your question. There is no "log4" in your example, so your statement log4 only in source "B" doesn't make any sense. It's not clear from your data what the relationship is between logs and ids, and what you're really comparing. Can you please restate your question?

That said, in Splunk you want to avoid thinking about things in terms of iterating if you can. @somesoni2's answer is in the direction you want to go: combine the two sources and figure out which things are the same by virtue of them being doubled up (in other words, by counting rather than comparing), and then it's just a matter of sorting out what to do with the rest of the data that doesn't match up, and adding some presentation around that.

0 Karma
Reply

somesoni2
Revered Legend
‎09-30-2014 05:07 AM

Try this

sourcetype=A OR sourcetype =B |eval temp=id."#".value |eventstats values(sourcetype) as vals| where mvcount(vals)=2
Reply

Lictor
New Member
‎10-01-2014 01:36 AM

Not exactly what I am looking for.
I need to find a way to look for all the ids in SourceType A (one by one) and then search for the found id in SourceType B and match the two log lines.
Need to do that for all IDs, where the ids are unknown (not a preset of ids).

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...