Splunk Enterprise Security

Compare Two Fields with different Names on different Index

mklhs
Path Finder

Hello Guys,

i have 2 Index index a and index b
on index a i have a field called nachrichtId
on index b i have a field called originalId
this both fields have the Same string (Value)

i want to write now a Search where i can found out if i have some nachrichtId events on Index a but no originalId on index b.

I want to find out if i have some problems with my Events or if i have a gap between this 2 Indexes

can anyone help me please Thank you 🙂

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @mklhs,

If you're value is already in a field lets call it field_value you can run a search as follows :

index= nachrichtId OR index=originalId
| stats dc(index) as condition by field_value
| where condition<2

If the value is not extracted and its the whole event you wish to compare then you can use the _raw field:

index= nachrichtId OR index=originalId
| stats dc(index) as condition by _raw
| where condition<2

Let me know if that helps.

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi @mklhs,

If you're value is already in a field lets call it field_value you can run a search as follows :

index= nachrichtId OR index=originalId
| stats dc(index) as condition by field_value
| where condition<2

If the value is not extracted and its the whole event you wish to compare then you can use the _raw field:

index= nachrichtId OR index=originalId
| stats dc(index) as condition by _raw
| where condition<2

Let me know if that helps.

Cheers,
David

0 Karma

mklhs
Path Finder

Thank for your Answer but i dont know if this is right for me

I have 2 indexes
in index 1 i have an event with a field named Nachrichtentid
this field has the value foobar
in index 2 i have an event with a field named OriginalId
this field also has the value foobar

I want to find out which events are not forwarded by index 1 and index 2, so where events are missing here. In both indexes the events have only these 2 fields as unique value.

0 Karma

DavidHourani
Super Champion

First you need to make sure that this ID has the same name in both indexes to make it easier to join without using the join command. So first create an alias, call it joinID or something. Then run the search below :

 index=index1 OR index=index2
 | stats dc(index) as condition by joinID
 | where condition<2

This will fetch data from both indexes and see which ID is in less than 2 indexes.

If you also wish to know which index has the missing event, you can run the following:

 index=index1 OR index=index2
 | stats dc(index) as condition, values(index) as index by joinID
 | where condition<2

mklhs
Path Finder

Thats works for me Thank you for your Help

0 Karma

DavidHourani
Super Champion

you're welcome !

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...