Splunk Dev

How can I compare mvfields and get a diff?

daniel333
Builder

All,

I just had a user want to compare lists/arrays for diff etc. Honestly I have no idea how I might compare mvfields or even events. Wondering if you can point me to a good tutorial/doc on this?

SOME USER [2:10 PM] 
----


[2:10] 
does Splunk have any way to compare lists/arrays?


[2:11] 
I have delimited list A and list B


[2:11] 
is there a splunk function to diff the two?


[2:11] 
(or alternatively, split list A and list B, load them into two mvindex-ed fields, and compare the two fields for diffs)


[2:12] 
My Use Case:  Windows logs changes to AD Group memberships, but doesn't actually tell you WAHT change was made


[2:13] 
so I want to compare Event 1 "Here are the current group members" to Event 2's "Here are the current group members" and find what changed
Tags (1)

RobertEikel
Engager

This was much easier for me:

eval diff=mvmap(field1,if(isnull(mvfind(field2,field1)),field1,null))

 

0 Karma

woodcock
Esteemed Legend

@daniel333 You should pick the bestest answer and click Accept to close this question (and UpVote any good/useful answers).

0 Karma

woodcock
Esteemed Legend

Wow, this one was SUPER fun! Feast your eyes on this @alacercogitatus:

| makeresults
| eval raw="a,b,c,d,e a,b,c,e,f"
| makemv raw
| mvexpand raw
| makemv delim="," raw
| eval host="matchingHost"
| streamstats count AS _serial
| eval after=if(_serial=1, raw, null())
| eval before=if(_serial=2, raw, null())
| fields - raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| selfjoin _time host
| streamstats count AS _serial
| multireport
    [| mvexpand after
    | where before!=after
    | rename after AS removed]
    [| mvexpand before
    | where before!=after
    | rename before AS added]
| fields - before after
| stats first(_time) AS _time first(host) AS host values(*) AS * BY _serial

As long as the pairs of events have the same exact timestamp, this works for any number of hosts and pairs.

woodcock
Esteemed Legend

If one of these worked, @daniel333, then you should come back and click Accept to close the question and help others.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, first, set diff is clunky and I haven't found a good use case for it. There are much easier ways to compare things.

Let's just do the basic straightforward approach. put the first set in with some field marked "A" and the second set in with some field marked "B".

    | inputcsv append=t mylistA.csv | table user group | eval myfield="A"
    | append [ | inputcsv append=t mylistA.csv | table user group | eval myfield="B"]
    | stats values(myfield) as myfield by user group

This gives you records which have three fields, user, group and myfield. myfield is a multivalue field, and if it has mvcount(myfield)>1 then it is in both files unchanged. If you just want to see changes then do this....

   | where mvcount(myfield)=1
   | eval mystatus = if(myfield="A","removed", "added")

sureshmurgan
Path Finder
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...