Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare two results every week and display the differences from one index?

btluynk
Loves-to-Learn Lots
‎01-05-2023 12:35 AM

Hi team,

I want to compare two results every week and display the differences from one index. And I want create Jira ticket if the results are different.

Thanks

Labels (5)
Labels
0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-05-2023 12:58 AM

Hi @gcusello ,

Thanks for your response, for example;

index=windows_server source=AD_Enabled_Server |dedup hostname|eval checker=0 |join type=outer hostname [search index=logsource source="/root/xxx/aaa.txt" |eval checker=1]|table hostname,checker|search checker=0

Every week this search runs and I get the results. But if the result is different, I want to create a structure like open a ticket.

Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2023 01:12 AM

Hi @btluynk,

always remember that Splunk isn't a database and the join command must be used only when you haven't any other solution because it's a very slow and resource consuming command.

Let me understand: you want to find the hostname in windows and in logsource, but if you use the condition checker=0, you always have results, what do you want really find: the list of hostanems every week?

Anyway, your original search can be done using stats in this way:

(index=windows_server source=AD_Enabled_Server) OR (index=logsource source="/root/xxx/aaa.txt")
| stats dc(index) AS index_count values(index) AS index BY hostname
| where index_count=1 AND index=windows

 If instead you want to find the hostname in windows that are also in logsource, you can use :

index=windows_server source=AD_Enabled_Server [ search index=logsource source="/root/xxx/aaa.txt") | fields hostname ]

this search has only the limit of 50,000 results in the subsearch.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2023 12:46 AM

Hi @btluynk,

if you already created the search, please share it, otherwise, please share the sample data highlighting  the fields to compare.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...