Splunk Search

How to compare values from two fields from different sources but only keep an uncommon value?

splunkerneedshe
New Member

Hi community,

I have a combined search which includes two sourcetypes. Both include a field with a username. Let's say it looks like this:

Sourcetype1 Field1:

User1
User2

Sourcetype2 Field2:

User1
User2
User3

I need the values that are present in Field2, and are not in Field1. The other way around is not of interest, so a simple count and looking at <2 is not an option. So, my search needs to reflect that User3 is a value of an event in Field2, but not a value of an event in Field1.

How do I do that within my search?

The search itself:

| ldapsearch search=(&(objectClass=group)(cn=*OMITTED*)) attrs="member"
| mvexpand member | xmlkv| eval member= substr(member, 4,6)|rename member AS Field1|  append [search sourcetype="*OMITTED2*" source="*OMITTED3*" *OMITTED4*=*OMITTED5*| rename *OMITTED6* AS Field2] 

With many thanks!

Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this. It will show event in the subsearch that are not in the main search.

| ldapsearch search=(&(objectClass=group)(cn=OMITTED)) attrs="member"
| mvexpand member | xmlkv| eval member= substr(member, 4,6)|rename member AS Field1| join type=inner Field1 [search sourcetype="OMITTED2" source="OMITTED3" OMITTED4=OMITTED5| rename OMITTED6 AS Field1]
---
If this reply helps you, Karma would be appreciated.
0 Karma

splunkerneedshe
New Member

It gives back 0 results. If I place:

join type=inner SOME_BOGUS_FIELD

instead of

join type=inner Field1

It gives results. But way less values for Field2 than I would expect. So something is not working correctly. Maybe that has to do with the ldapsearch module. I tried converting Field1 to string using:

eval Field1=tostring(Field1)

but that did not help.

Do you have any idea how to proceed?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps I renamed the wrong OMITTED field to Field1. Modify the query so Field1 is the same in both the main search and the subsearch.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...