Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search the difference between the values of two fields between separate searches?

jawebb
Explorer
‎10-20-2015 06:23 PM

I have a field of names from two indexes and wish to find the unique values between them. I thought I should have to use the | set diff command for this, but have been coming up short. Any help would be appreciated. Here is what I have so far.

|set diff [search index=index1 |eval Name=lower(Name) | dedup Name | fields Name] [search index=index2| rename "computer_name" as Name | eval Name=lower(Name)| dedup Name | fields Name]

I still find duplicates and non unique values, but dedup seems to work when I separate the searches.

Thanks!

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-20-2015 06:42 PM

Try this:

index=index1 OR  index=index2 | rename "computer_name" as Name |eval Name=lower(Name) | stats values(*) AS * dc(index) AS indices by Name

This gives the fully merged set (full join). For each function, tack on the appropriate remaining search string:

For XOR (outer join) which I believe is what you are seeking:

| where indices = 1

For left join:

| where index=index1

For right join:

| where index=index2

For inner join:

| where indices>1

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-20-2015 08:11 PM

Try something like this

  index=index1 OR index=index2 | eval Name=coalesce(lower(Name),lower('computer_name')) | stats dc(index) as indexes by Name | where indexes=1
0 Karma
Reply
Solved! Jump to solution

jawebb
Explorer
‎10-21-2015 06:04 AM

This along with the previous answer both seem to get the job done, with the previous answer including all of the fields that I can use for additional manipulation. Thanks for the help!!

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-20-2015 06:42 PM

Try this:

index=index1 OR  index=index2 | rename "computer_name" as Name |eval Name=lower(Name) | stats values(*) AS * dc(index) AS indices by Name

This gives the fully merged set (full join). For each function, tack on the appropriate remaining search string:

For XOR (outer join) which I believe is what you are seeking:

| where indices = 1

For left join:

| where index=index1

For right join:

| where index=index2

For inner join:

| where indices>1
Reply
Solved! Jump to solution

jawebb
Explorer
‎10-21-2015 06:04 AM

That does it. Thanks again!

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎10-20-2015 06:32 PM

Hi jawebb,

Try doing a sort on the field Name in both searches and see if that helps.

0 Karma
Reply
Solved! Jump to solution

gcato
Contributor
‎10-20-2015 06:37 PM

Should also note that subsearches have a max result limit of 10,000 events.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...