I'd like to compare the configuration of several nodes using a single search. Each node has multiple keys expressed as one key value pair per event i.e.
timestamp audit=true
timestamp enabled=true
Is there a way to compare all the keys against each other and report deltas?
I've updated the quested to ensure it's correctly formatted.
Yes, if I understand properly.
Join all events about a single node with a transaction, then each transaction will have all the values.
...| transaction some_node_id_field ...
from there, there are many things you can do -- compare particular nodes like this:
| diff pos1=1 pos2=2 enables
get top combinations...
| top audit, enables
cluster nodes to similar nodes...
| cluster