Splunk Search

How to compare two searches to find values in one search and not the other

zachsisinst
Explorer

I have two datasets in separate indexes that I would like to compare. i.e.

dataset from search1:

item1
item2
item3

dataset from search2:

item1
item2
item3
item4
item5

I would like to produce a table that gives me a table of items that exist in search2 and not in search1. i.e.

itemfield       searchname`
-------------------------------------
item4            search2
item5            search2

How would I do this?

0 Karma

anmolpatel
Builder

Something like this:

| makeresults 
| eval _raw = "list
         item1
         item2
         item3" 
| multikv forceheader=1 
| eval inList1 = "Y" 
| appendcols 
    [| makeresults 
    | eval _raw = "list
    item1
    item2
    item3
    item4
    item5" 
    | multikv forceheader=1 
    | table list] 
| eval inList2 = if(inList1 = "Y", "N", "Y") 
| where inList2 = "Y" 
| table list
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...