Splunk Search

Comparing data from two log files and displaying results which are different .

smolcj
Builder

Hi,
My need is to compare two log files of same pattern . sometimes the log files will be entirely different because they can be the files of two different instance or they can be from same instance at a different time , in that case other than few dynamic fields in the product all other fields will be same. i have been using a search for the result from a single file and using join command i tried to find the diff values for the search .
please help me to find an efficient query for this need.

index=main source=SUCCESS
| transaction startswith="Source Summary" endswith="Load Summary"
| table summ_name
| mvexpand summ_name
| join summ_name[
search index=main source=SUCCESS
| fields summ_name summ_instance sum_out sum_affected sum_applied sum_rejected ]
|table summ_name summ_instance sum_out sum_affected sum_applied sum_rejected
|rename summ_name as Source |rename summ_instance as File1
|join type=outer Source [search index=main source=FAIL
| transaction startswith="Source Summary" endswith="Load Summary"
| table summ_name
| mvexpand summ_name
| join summ_name [
search index=main source=FAIL
| fields summ_name summ_instance sum_out sum_affected sum_applied sum_rejected ]
|table summ_name summ_instance sum_out sum_affected sum_applied sum_rejected
|rename summ_name as Source summ_name as summ_name1 sum_out as sum_out 1 sum_affected as sum_affected 1 sum_applied as sum_applied1 sum_rejected as sum_rejected1
|rename summ_instance as File2 ]
|where 'File1' != 'File2' ``

  • I am not able to provide a full outer join and display all the values from both the files
  • if some fields are same and other fields are different then i want diplay them in same row
  • SUCCESS and FAIL are 2 different files

please help
Thank You

Tags (2)
0 Karma

vj8210
Explorer

Hi Can you please paste sample log entries for both files?

0 Karma

Ayn
Legend

By PS I mean Professional Services - contact Splunk sales to discuss details.

0 Karma

smolcj
Builder

Thanks Ayn, but how can i seek help of a product specialist ?

0 Karma

Ayn
Legend

If you're not getting help here (I can't offer any, sorry) and really need to solve this problem, consider having Splunk PS come help you.

0 Karma

smolcj
Builder

Please help, badly in need of a solution

0 Karma

smolcj
Builder

Ayn, i have tried set diff command, but i am not able to find something that can meet my second requirement 😞
i.e if source field is same but if other fields are different i am not able to display the values from the second file .. how can i do that ? currently i am using sideview value setter and html modules to group those values under file1 and file2 but then i am facing the issue of full outer join ..
please help ..

0 Karma

Ayn
Legend

Did you have a look at set diff?

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...