https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615291#M14071 <P>Here's one approach you can take:</P><P>1. Calculate the most common ios value "common_ios" for each host (using appendpipe and top)<BR />2. Populate the common_ios value to each event using eventstats<BR />3. Look for any ios value that's different than the&nbsp;common_ios value.</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval events="2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU5 IOS: 96;2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU4 IOS: 96;2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU3 IOS: 96;2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU2 IOS: 96;2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU1 IOS: 76;2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU0 IOS: 96" | eval events=SPLIT(events, ";"), host="ACME_SERVER1" | mvexpand events | rex field=events "^.*\]:\s(?&lt;gpu&gt;GPU\d+)\sIOS\:\s+(?&lt;ios&gt;\d+)" | eval gpu_ios=gpu." : ".ios | bucket _time span=1m | appendpipe [| top 1 ios BY _time host | rename ios AS common_ios | table _time common_ios host] | eventstats max(common_ios) AS common_ios values(gpu_ios) AS gpu_ios BY _time host | where LEN(gpu)&gt;1 AND ios!=common_ios | table _time host gpu ios common_ios gpu_ios</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Fri, 30 Sep 2022 05:06:24 GMT johnhuang 2022-09-30T05:06:24Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615287#M14070 <P>I have the following sample event<BR /><BR /><SPAN class="">2022-09-29T19:29:22.260916-07:00</SPAN>&nbsp;abc&nbsp;<SPAN class="">log-inventory.sh</SPAN><SPAN>[</SPAN><SPAN class="">24349</SPAN><SPAN>]</SPAN><SPAN class="">:</SPAN> <SPAN class="">GPU5&nbsp;&nbsp;</SPAN><SPAN class="">IOS:</SPAN> <SPAN class="">96</SPAN></P><P><SPAN class="">2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh<SPAN>[</SPAN>24349<SPAN>]</SPAN>: GPU4&nbsp;IOS: 96</SPAN></P><P><SPAN class="">2022-09-29T19:29:22.260916-07:00&nbsp;abc log-inventory.sh<SPAN>[</SPAN>24349<SPAN>]</SPAN>: GPU3&nbsp;IOS: 96</SPAN></P><P><SPAN class="">2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh<SPAN>[</SPAN>24349<SPAN>]</SPAN>: GPU2&nbsp;IOS: 96</SPAN></P><P><SPAN class="">2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh<SPAN>[</SPAN>24349<SPAN>]</SPAN>: GPU1&nbsp;IOS:&nbsp;76</SPAN></P><P><SPAN class="">2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh<SPAN>[</SPAN>24349<SPAN>]</SPAN>: GPU0&nbsp;IOS: 96<BR /><BR />I want to compare the IOS value&nbsp; for each host and if any one is showing a different value then I want to output the result .In the above events for host=abc all GPU's has IOS value as 96 except for GPU1 which is 76.I want to output the GPU1 and the value of IOS...I tried doing diff but its not working.</SPAN></P><P>&nbsp;</P><P><SPAN class="">Thanks in Advance</SPAN></P><P>&nbsp;</P> Fri, 30 Sep 2022 03:50:32 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615287#M14070 vrmandadi 2022-09-30T03:50:32Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615291#M14071 <P>Here's one approach you can take:</P><P>1. Calculate the most common ios value "common_ios" for each host (using appendpipe and top)<BR />2. Populate the common_ios value to each event using eventstats<BR />3. Look for any ios value that's different than the&nbsp;common_ios value.</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval events="2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU5 IOS: 96;2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU4 IOS: 96;2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU3 IOS: 96;2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU2 IOS: 96;2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU1 IOS: 76;2022-09-29T19:29:22.260916-07:00 abc log-inventory.sh[24349]: GPU0 IOS: 96" | eval events=SPLIT(events, ";"), host="ACME_SERVER1" | mvexpand events | rex field=events "^.*\]:\s(?&lt;gpu&gt;GPU\d+)\sIOS\:\s+(?&lt;ios&gt;\d+)" | eval gpu_ios=gpu." : ".ios | bucket _time span=1m | appendpipe [| top 1 ios BY _time host | rename ios AS common_ios | table _time common_ios host] | eventstats max(common_ios) AS common_ios values(gpu_ios) AS gpu_ios BY _time host | where LEN(gpu)&gt;1 AND ios!=common_ios | table _time host gpu ios common_ios gpu_ios</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Fri, 30 Sep 2022 05:06:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615291#M14071 johnhuang 2022-09-30T05:06:24Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615420#M14087 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/190794">@johnhuang</a>&nbsp; Thank you for you reply.How do I make it work to only look at the latest events for a host(GPU0-GPU5) .Currently it is showing all the results when there is a change but I only want to see the latest and if there is change show only that.<BR /><BR />Below is the query I used&nbsp;</P><LI-CODE lang="markup">index=preos_inventory sourcetype = preos_inventory host IN(*) | rex field=_raw "log-inventory.sh\[(?&lt;id&gt;[^\]]+)\]\:\s*(?&lt;gpu&gt;[^\:]+)\:\s*(?&lt;ios&gt;.*)" | search gpu=*VBIOS* host=preos | eval gpu_ios=gpu." : ".ios | bucket _time span=1m | appendpipe [| top 1 ios BY _time host | rename ios AS common_ios | table _time common_ios host] | eventstats max(common_ios) AS common_ios values(gpu_ios) AS gpu_ios BY _time host | table _time host gpu ios common_ios gpu_ios | where LEN(gpu)&gt;1 AND ios!=common_ios</LI-CODE> Fri, 30 Sep 2022 16:38:01 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615420#M14087 vrmandadi 2022-09-30T16:38:01Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615435#M14089 <P>Use latest.</P><P>index=preos_inventory sourcetype = preos_inventory host IN(*)<BR />| rex field=_raw "log-inventory.sh\[(?&lt;id&gt;[^\]]+)\]\:\s*(?&lt;gpu&gt;[^\:]+)\:\s*(?&lt;ios&gt;.*)"<BR />| search gpu=*VBIOS* host=preos<BR />| eval gpu_ios=gpu." : ".ios<BR /><FONT color="#FF0000"><STRONG>| stats latest(_time) AS _time latest(*) AS * BY host gpu</STRONG></FONT><BR />| bucket _time span=1m<BR />| appendpipe [| top 1 ios BY _time host | rename ios AS common_ios | table _time common_ios host]<BR />| eventstats max(common_ios) AS common_ios values(gpu_ios) AS gpu_ios BY _time host<BR />| table _time host gpu ios common_ios gpu_ios<BR />| where LEN(gpu)&gt;1 AND ios!=common_ios</P><P>&nbsp;</P> Fri, 30 Sep 2022 17:05:52 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615435#M14089 johnhuang 2022-09-30T17:05:52Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615900#M14107 <P>Thank you this worked</P> Tue, 04 Oct 2022 21:00:01 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-do-line-by-line-compare-and-show-if-there-is-a-difference/m-p/615900#M14107 vrmandadi 2022-10-04T21:00:01Z