Intersplunk solution:
apps/fieldcompare/bin/fieldcompare.py:
# custom command script
import splunk.Intersplunk
import json
import sys
def is_json(myjson):
return type(myjson) == type({})
#found difference between two jsons
def searchleveljson(json1,json2,resultKey,resultValues):
keys=set(json1.keys())
keys2=set(json2.keys())
keys.update(keys2)
for json_event in keys:
if json_event not in json1:
resultKey.append(json_event)
resultValues.append("actual."+json_event+"."+json2[json_event])
continue;
if json_event not in json2:
resultKey.append(json_event)
resultValues.append("expected."+json_event+"."+json1[json_event])
continue;
v1 = json1[json_event]
v2 = json2[json_event]
if v1 != v2:
if is_json(v1) and is_json(v2):
searchleveljson(v1,v2,resultKey,resultValues)
else:
resultKey.append(json_event)
diff = "actual."+json_event+"="+json2[json_event]
diff+= " "
diff+= "expected."+json_event+"="+json1[json_event]
resultValues.append(diff)
(isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv)
args, kwargs = splunk.Intersplunk.getKeywordsAndOptions()
if isgetinfo:
# streaming, generating, retevs, reqsop, preop
splunk.Intersplunk.outputInfo(True, False, False, False, None)
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
field1 = kwargs.get("json1", "field1")
field2 = kwargs.get("json2", "field2")
for result in results:
try:
#corrected errors for converting string to json
#json.load(fieldx) -> json.loads(result[fieldx])
j1 = json.loads(result[field1])
j2 = json.loads(result[field2])
except ValueError:
pass
resultKey = list()
resultValues = list()
searchleveljson(j1,j2,resultKey,resultValues)
result["mismatched_keys"]=json.dumps(resultKey)
result["value_diff"]=json.dumps(resultValues)
splunk.Intersplunk.outputResults(results)
apps/fieldcompare/default/custom.conf:
[fieldcompare]
filename = fieldcompare.py
streaming=true
apps/fieldcompare/metadata/default.meta:
[commands/fieldcompare]
access = read : [ * ], write : [ admin ]
export = system
[scripts/fieldcompare.py]
access = read : [ * ], write : [ admin ]
export = system
I deleted all other folders (spunk and splunklib)
Restart splunk.
| table column1 column2 | fieldcompare __EXECUTE__ json1=column1 json2=column2
the result is a table with the following columns:
column1 | column2 | mismatched_keys | value_diff
mismatched_keys contains all different keys
value_diff contains all different value
... View more