topic How can I compare mvfields and get a diff? in Splunk Dev

How can I compare mvfields and get a diff?

daniel333 — Tue, 05 Sep 2017 17:36:54 GMT

All,

I just had a user want to compare lists/arrays for diff etc. Honestly I have no idea how I might compare mvfields or even events. Wondering if you can point me to a good tutorial/doc on this?

SOME USER [2:10 PM] 
----


[2:10] 
does Splunk have any way to compare lists/arrays?


[2:11] 
I have delimited list A and list B


[2:11] 
is there a splunk function to diff the two?


[2:11] 
(or alternatively, split list A and list B, load them into two mvindex-ed fields, and compare the two fields for diffs)


[2:12] 
My Use Case:  Windows logs changes to AD Group memberships, but doesn't actually tell you WAHT change was made


[2:13] 
so I want to compare Event 1 "Here are the current group members" to Event 2's "Here are the current group members" and find what changed

Re: How can I compare mvfields and get a diff?

DalJeanis — Tue, 05 Sep 2017 18:01:14 GMT

Okay, first, set diff is clunky and I haven't found a good use case for it. There are much easier ways to compare things.

Let's just do the basic straightforward approach. put the first set in with some field marked "A" and the second set in with some field marked "B".

    | inputcsv append=t mylistA.csv | table user group | eval myfield="A"
    | append [ | inputcsv append=t mylistA.csv | table user group | eval myfield="B"]
    | stats values(myfield) as myfield by user group

This gives you records which have three fields, user, group and myfield. myfield is a multivalue field, and if it has mvcount(myfield)>1 then it is in both files unchanged. If you just want to see changes then do this....

   | where mvcount(myfield)=1
   | eval mystatus = if(myfield="A","removed", "added")

Re: How can I compare mvfields and get a diff?

woodcock — Wed, 06 Sep 2017 03:04:05 GMT

Wow, this one was SUPER fun! Feast your eyes on this @alacercogitatus:

| makeresults
| eval raw="a,b,c,d,e a,b,c,e,f"
| makemv raw
| mvexpand raw
| makemv delim="," raw
| eval host="matchingHost"
| streamstats count AS _serial
| eval after=if(_serial=1, raw, null())
| eval before=if(_serial=2, raw, null())
| fields - raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| selfjoin _time host
| streamstats count AS _serial
| multireport
    [| mvexpand after
    | where before!=after
    | rename after AS removed]
    [| mvexpand before
    | where before!=after
    | rename before AS added]
| fields - before after
| stats first(_time) AS _time first(host) AS host values(*) AS * BY _serial

As long as the pairs of events have the same exact timestamp, this works for any number of hosts and pairs.

Re: How can I compare mvfields and get a diff?

woodcock — Sat, 30 Jun 2018 21:17:19 GMT

@daniel333 You should pick the bestest answer and click Accept to close this question (and UpVote any good/useful answers).

Re: How can I compare mvfields and get a diff?

woodcock — Fri, 12 Apr 2019 20:22:31 GMT

If one of these worked, @daniel333, then you should come back and click Accept to close the question and help others.

Re: How can I compare mvfields and get a diff?

RobertEikel — Thu, 27 May 2021 14:49:40 GMT

This was much easier for me:

eval diff=mvmap(field1,if(isnull(mvfind(field2,field1)),field1,null))

Re: How can I compare mvfields and get a diff?

sureshmurgan — Thu, 08 Dec 2022 18:12:24 GMT