I created a search that'll display the difference between two searches using 'set diff' - I initially set it to compare on one column (hosts), so if there's a difference between the two, it'll show up and create an alert based off this. However, I'd want to show both the hostname and the sourcetype if possible in the final search
I initially tried to set it to show both host and sourcetype as part of the searches for the set diff, it displays all the hosts as the two searches use separate sourcetypes. I also tried setting it to display the final table to show the host and sourcetype, but I get an error from set diff.
Is there a way to do this using 'set diff' or is there a different method, such as using a 'multisearch' to compare?
Nope, set diff
just isn't that useful, not allowing you to compare on anything and keep other data to output where the data came from. You'll have to use join or another strategy.
Here's one useful strategy ...
your search that gets 1 OR your search that gets 2
| fields host sourcetype
| eval host=upper(host)
| stats values(sourcetype) as sourcetype by host
| where mvcount(sourcetype)<2
Nope, set diff
just isn't that useful, not allowing you to compare on anything and keep other data to output where the data came from. You'll have to use join or another strategy.
Here's one useful strategy ...
your search that gets 1 OR your search that gets 2
| fields host sourcetype
| eval host=upper(host)
| stats values(sourcetype) as sourcetype by host
| where mvcount(sourcetype)<2
Thank you for your answer. It's working as I'd want it to now, but I had couple of further questions:
If I only wanted the alert to go off for a certain sourcetype, could I add another WHERE along the lines of "| where sourcetype = XXX", at the end of the search?
Is there a way of doing this with using 'hostname' rather than 'host'? This is more out of preference since most of my searches are based on the former, but as the output is virtually the same, this isn't a priority.
Sure, just change the variable name in all places.
your search that gets 1 OR your search that gets 2
| fields hostname sourcetype
| eval hostname=upper(hostname)
| stats values(sourcetype) as sourcetype by hostname
| where mvcount(sourcetype)<2 AND sourcetype="whatever"
@sepkarimpour, can you add your search query in the question?
Let me throw this out there - having not used set diff at all, my first thought is to build a new field with something like ... | eval host_and_sourcetype = host . "--" . sourcetype
and use that as your set/set diff.
Not quite a full answer, but if this works and is all you need, we can wordsmith it up and I can convert it to an Answer easily enough.
I agree with @rich7177 . |set will only bring back the one column so you'll want to |eval the information in your subsearches. remember, however, that there are limits with set.
http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Set