Hi,
I have 2 results from 2 different searches. I need to compare it & find out the missing data from search result 1
Search 1 result as Hostname
SVS1
SVS2
SVS3
Search 2 result as CI_name
SVS1
SVS2
my Result should be
SVS3
Note : I tried set diff
command but it showing the difference not the missing data
Thanks in advance
Like this:
SearchOneHere NOT [ SearchTwoHere | table CI_name | rename CI_name AS Hostname ]
Or this:
SearchOneHere | search NOT [ SearchTwoHere | table CI_name | rename CI_name AS Hostname ]
Thank you woodcock, it worked for me
Then please do click Accept
on this answer to close the question.
try this
search1 | eval count=0 | append [ search search2 | rename CI_name AS Hostname | stats count by Hostname ] | stats sum(count) AS Total by Hostname | where Total = 0
in this way you find all the Hostnames of Search1 that aren't in Search2.
Bye.
Giuseppe
if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe
Hi Giuseppe,
I also have this problem and this query solves the issue. But I am having difficulty in understanding the
" stats sum(count) AS Total by Hostname" part of the query.
Can you please help me by explaining how the query works?
Thank you in advance.
Kiruthika
here
search 1| eval count=0
gives result like
Hostname count
A 0
B 0
C 0
And search search2 | rename CI_name AS Hostname | stats count by Hostname
gives result like
Hostname count
B 2
C 3
D 5
Now by append
clause above results get appended gives below output
Hostname count
A 0
B 0
C 0
B 2
C 3
D 5
Now | stats sum(count) AS Total by Hostname
gives (sum of all count per Hostname) output as
Hostname Total
A 0
B 2
C 3
D 5
after which find whose Total field is zero | where Total = 0
which indicates here "A" hostame is missing.
Hope this helps!
Of course!! Thanks a lot!!