I haven't written a complex splunk query for a while, please help me in getting started with this. This is what i am trying to do,
I have a master list of hosts which i have loaded into Splunk. i want to compare that hosts with another list which i get by running a query in splunk. The outcome i am expecting is, Y if it is matching in both the list 'N' if it is there on the first list but not on the second.
Like this:
<first search here> | dedup host | eval type=1 | append [search <second search here> | dedup host | eval type=2] | stats values(type) AS types dc(type) AS numTypes BY host | eval outcome=case(numTypes=2,"Y",type=1,"N",type=2, "?", 1==1,"??") |table host outcome