My problem is: I have an id that should be logged from two systems if integration between these two have worked as supposed to. And this id will be logged with different names from these two systems, but should be the same(and unique of course) across these systems.
event1: ....systemA_dokumentID=22
event2: ....systemA_dokumentID=23
event3: ....systemB_dokumentID=22
I would then like to do a search that returns a list of ids from systemA that are not found in systemB. The example above should then return 23 in its list.
There is a large amount of data involved here - up to several millions.
My 2 questions are then:
Is this possible?
If it is possible, is it a good idea to do this in splunk (it's not critical for the search to be very fast)?
... View more