Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare two results every week and display the differences from one index?

btluynk
Loves-to-Learn Lots
‎01-05-2023 12:35 AM

Hi team,

I want to compare two results every week and display the differences from one index. And I want create Jira ticket if the results are different.

Thanks

Labels (5)
Labels
0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-05-2023 12:58 AM

Hi @gcusello ,

Thanks for your response, for example;

index=windows_server source=AD_Enabled_Server |dedup hostname|eval checker=0 |join type=outer hostname [search index=logsource source="/root/xxx/aaa.txt" |eval checker=1]|table hostname,checker|search checker=0

Every week this search runs and I get the results. But if the result is different, I want to create a structure like open a ticket.

Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2023 01:12 AM

Hi @btluynk,

always remember that Splunk isn't a database and the join command must be used only when you haven't any other solution because it's a very slow and resource consuming command.

Let me understand: you want to find the hostname in windows and in logsource, but if you use the condition checker=0, you always have results, what do you want really find: the list of hostanems every week?

Anyway, your original search can be done using stats in this way:

(index=windows_server source=AD_Enabled_Server) OR (index=logsource source="/root/xxx/aaa.txt")
| stats dc(index) AS index_count values(index) AS index BY hostname
| where index_count=1 AND index=windows

 If instead you want to find the hostname in windows that are also in logsource, you can use :

index=windows_server source=AD_Enabled_Server [ search index=logsource source="/root/xxx/aaa.txt") | fields hostname ]

this search has only the limit of 50,000 results in the subsearch.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2023 12:46 AM

Hi @btluynk,

if you already created the search, please share it, otherwise, please share the sample data highlighting  the fields to compare.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...