Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Searching two indexes to compare and show the difference

SGun
Explorer
‎09-17-2018 01:26 AM

index="proxy_logs" category="none"
| top category, protocol, url, cs_Referer limit=1000
| eval results = if(match(upper(cs_Referer),upper(url)), "hit", "miss")
| where results="miss"
| table category, protocol, url, cs_Referer, results

Above is working thanks to a couple of posts on here.

No I want to compare the "url" field in index1 against another index2 that also has the "url" field and show the output of index1 that does not match index2.

First search looks for items that don't match in the first index.

I then want to search the search the second index and output only items that do not match the first index.

Tags (1)
0 Karma
Reply

jplumsdaine22
Influencer
‎09-17-2018 06:32 AM

Something like this might do the trick. This should who you any url in index1 only (ie no match in index2)

foo (index=index1 OR index=index2) 
| stats values(index) as indexes by url 
| where mvcount(indexes)=1 AND indexes="index1"
0 Karma
Reply

SGun
Explorer
‎09-17-2018 07:32 AM

I was hoping to include, as I want to check the output is a miss.

| eval results = if(match(upper(cs_Referer),upper(url)), "hit", "miss")
| where results="miss"

Thanks,

0 Karma
Reply

jplumsdaine22
Influencer
‎09-17-2018 07:45 AM

This will work | eval results = if(match(upper(cs_Referer),upper(url)), "hit", "miss") provided an event contains two fields. I assume one index has cs_referer and the other has url. What fields correlates the events between indexes?

For example, lets say each event has a field requestID, that is identical in both indexes. Then you might do:

(index=index1 OR index=index2) 
| stats values(cs_referer) AS cs_referer values(url) as url by requestID
| eval results = if(match(upper(cs_Referer),upper(url)), "hit", "miss") 
| where results="miss"
0 Karma
Reply

SGun
Explorer
‎09-17-2018 07:51 AM

No results on this one .

0 Karma
Reply

jplumsdaine22
Influencer
‎09-17-2018 07:54 AM

is your eval working? ie take out the where clause. Also check my spelling of cs_referer (field names are case sensitive)

0 Karma
Reply

SGun
Explorer
‎09-18-2018 12:17 AM

index="proxy_logs" OR index="websitelist" category="none" cs_Referer!="-"
| stats values(cs_Referer) AS cs_Referer values(url) as url by requestID
| eval results = if(match(upper(cs_Referer),upper(url)), "hit", "miss")

| where results="miss"

produces no results

index="proxy_logs" OR index="websitelist" category="none" cs_Referer!="-"
| stats values(index) as indexes by url
| where mvcount(indexes)=1 AND indexes="bcoat_logs"

Produces results, but I need to confirm the output data.

What I am trying to do is look up all the urls in the proxy_logs where the url with an unknown category that does not match the cs_Referer then mark it as a "miss".

Then check the "miss" results against the second index "websitelist" url

Other issues is that the "proxy_logs" outputs url not just as a domain name... http:// , www. etc. The "websitelist" has just the domain.

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...