Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

compare 2 different search results and list out the missing data from search 1 result

SathyaNarayanan
Path Finder
‎07-21-2016 04:15 AM

Hi,

I have 2 results from 2 different searches. I need to compare it & find out the missing data from search result 1

Search 1 result as Hostname

SVS1
SVS2
SVS3

Search 2 result as CI_name

SVS1
SVS2

my Result should be

SVS3

Note : I tried set diff command but it showing the difference not the missing data

Thanks in advance

Tags (1)
Reply

woodcock
Esteemed Legend
‎07-21-2016 07:37 AM

Like this:

SearchOneHere NOT [ SearchTwoHere | table CI_name | rename CI_name AS Hostname ]

Or this:

SearchOneHere | search NOT [ SearchTwoHere | table CI_name | rename CI_name AS Hostname ]
Reply

SathyaNarayanan
Path Finder
‎07-29-2016 06:38 AM

Thank you woodcock, it worked for me

0 Karma
Reply

woodcock
Esteemed Legend
‎07-29-2016 02:08 PM

Then please do click Accept on this answer to close the question.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-21-2016 05:01 AM

try this

search1 | eval count=0 | append [ search search2 | rename CI_name AS Hostname | stats count by Hostname ] | stats sum(count) AS Total by Hostname | where Total = 0

in this way you find all the Hostnames of Search1 that aren't in Search2.
Bye.
Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎09-09-2016 04:21 AM

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe

0 Karma
Reply

kiru2992
Path Finder
‎02-06-2018 12:35 AM

Hi Giuseppe,

I also have this problem and this query solves the issue. But I am having difficulty in understanding the
" stats sum(count) AS Total by Hostname" part of the query.

Can you please help me by explaining how the query works?

Thank you in advance.
Kiruthika

0 Karma
Reply

493669
Super Champion
‎02-06-2018 01:00 AM

here
search 1| eval count=0
gives result like 

Hostname       count
  A                    0
  B                    0
  C                    0

And search search2 | rename CI_name AS Hostname | stats count by Hostname
gives result like

Hostname       count
  B                    2
  C                    3
  D                    5

Now by append clause above results get appended gives below output

Hostname         count
      A                    0
      B                    0
      C                    0
      B                    2
      C                    3
      D                    5

Now | stats sum(count) AS Total by Hostname gives (sum of all count per Hostname) output as 

Hostname        Total
  A                    0
  B                    2
  C                    3
  D                    5

after which find whose Total field is zero | where Total = 0 which indicates here "A" hostame is missing.
Hope this helps!

Reply

kiru2992
Path Finder
‎02-06-2018 01:15 AM

Of course!! Thanks a lot!!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...