topic Re: File Compare and Display in Splunk Enterprise

File Compare and Display

akankshayadav — Fri, 18 Jun 2021 05:27:47 GMT

Consider, i have two files. File1 and File2

File1 and File2 got indexed last month with events in file1 say A ,B and events in file2 say C,D .

They again got indexed today, file1 with same events A and B but file2 with C,D,E,F. This means that file2 modified version has different events as compared to it's last version.

Now , i need to display in the panel all files like file2 whose current events are different from last events.

Thanks in advance!

Re: File Compare and Display

ITWhisperer — Fri, 18 Jun 2021 07:17:40 GMT

Count the events by type and month, where there is only one e.g. E and F, these are new events.

Re: File Compare and Display

akankshayadav — Fri, 18 Jun 2021 07:22:39 GMT

Can any code be provided? Below is my dashboard, might be useful for reference. 1st panel has the different version of files and 2nd panel has the unique events in each . Any help?

Re: File Compare and Display

ITWhisperer — Fri, 18 Jun 2021 07:37:51 GMT

Not tremendously helpful since it isn't clear where Events have come from or whether InvVersion represents the different months, but assuming Events is a collection of Events and InvVersion are the different months, then

| stats count values(InvVersion) as InvVersion by Events File | where count=1

Re: File Compare and Display

akankshayadav — Fri, 18 Jun 2021 07:50:44 GMT

Your assumptions are correct but the 2nd panel is dependent on the 1st panel. when i click the file in 1st panel, the 2nd one gets display by drilldown. The view you are seeing in 2nd panel is of unique events of one file in different versions. Now from this , there are numerous files with such differences. Some have unique events, some don't . How can i display the name of files who have different events in the versions?

For simplicity , instead of taking 4 versions of a file(as in my dashboard which a shared the pic) , lets assume there are only two versions.

Re: File Compare and Display

ITWhisperer — Fri, 18 Jun 2021 08:02:52 GMT

It is not clear whether the events are unique within each file for each version so assuming they aren't you can count them and ignore the count, then count the number of versions each combination of event and file there are. Any with this second count as 1 only occurs in one of the file versions

Re: File Compare and Display

akankshayadav — Fri, 18 Jun 2021 08:18:14 GMT

Panel 2 displays the Events unique in each version of a file . i.e count=1 of _raw in each version of file.

I need the names of all the files whose versions have unique events . i.e if first version of file1 has A B and second version has A C , and file2 has A and B in both events then file1 should be my answer.

Re: File Compare and Display

ITWhisperer — Fri, 18 Jun 2021 08:29:44 GMT

Have you tried my suggestion? Here is a runanywhere version to show it working with the data you suggested

Re: File Compare and Display

akankshayadav — Mon, 21 Jun 2021 05:28:24 GMT

Yes i did try . but it isn't getting the answer.
Can you give me an approach that I can get the names of files whose events are different in different versions.
File 1 - before had events- A B today has A C

File 2- before had - X Z today also X Z

My output desired is File1 displayed

Re: File Compare and Display

akankshayadav — Mon, 21 Jun 2021 05:52:57 GMT

The solution which you suggested, where can i put this in my code but it's not working for some files like

here the pas.csv has a different event in a version but the name of this file is not displayed in output

Re: File Compare and Display

ITWhisperer — Mon, 21 Jun 2021 05:42:36 GMT

Replace line 5-7 with

Re: File Compare and Display

akankshayadav — Mon, 21 Jun 2021 05:55:10 GMT

This is displaying the names of all files , not the files only with different events

Re: File Compare and Display

ITWhisperer — Mon, 21 Jun 2021 06:26:31 GMT

Try this - I was not taking into account multiple copies of the different versions

Also, is it possible that either or both path and file have trailing spaces?

Re: File Compare and Display

akankshayadav — Mon, 21 Jun 2021 06:30:46 GMT

No results displayed

NO trailing spaces

Re: File Compare and Display

ITWhisperer — Mon, 21 Jun 2021 06:49:12 GMT

Remove lines 7 and 8 - they were from setting up sample data, not part of the solution

Re: File Compare and Display

akankshayadav — Mon, 21 Jun 2021 06:51:56 GMT

Still no output sir

Re: File Compare and Display

ITWhisperer — Mon, 21 Jun 2021 06:55:20 GMT

Remove line 7

Re: File Compare and Display

akankshayadav — Mon, 21 Jun 2021 07:00:30 GMT

Still no output sir. What is the logic of |ine 10?

Re: File Compare and Display

ITWhisperer — Mon, 21 Jun 2021 08:25:23 GMT

Another approach

| makeresults | eval _raw="InvVersion,File,Events 1,file1,A B 2,file1,A B 3,file1,A B C 4,file1,A B C 1,file2,M N 2,file2,M N 3,file2,M O 4,file2,M P 1,file3,A 1,file3,B 2,file3,A 2,file3,B 3,file3,A 3,file3,B 3,file3,C 4,file3,A 4,file3,B 4,file3,C 1,file4,M N 2,file4,M N 3,file4,M N 4,file4,M N 1,file5,M 1,file5,N 2,file5,M 2,file5,N 3,file5,M 3,file5,N 4,file5,M 4,file5,N" | multikv forceheader=1 | fields - _* linecount | stats count by InvVersion Events File | eventstats dc(InvVersion) as versions by File | stats values(versions) as versions count by Events File | where versions>count | dedup File | table File

Re: File Compare and Display

akankshayadav — Mon, 21 Jun 2021 08:41:17 GMT

No output for the exact same . Did you get the output?