<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to verify the data held in two apps is the same? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-verify-the-data-held-in-two-apps-is-the-same/m-p/162289#M32941</link>
    <description>&lt;P&gt;Try these&lt;/P&gt;

&lt;P&gt;Get list of accountId which are NOT present in both the sourcetypes (present in either)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;sourcetype="appOneLog" OR sourcetype="appTwoLog" | stats values(sourcetype) as st by accountId | where mvcount(st)=1
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Get list of accountId present in appOneLog but not in appTwoLog&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;sourcetype="appOneLog" OR sourcetype="appTwoLog" | stats values(sourcetype) as st by accountId | where mvcount(st)=1 and mvindex(st,0)="appOneLog"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Get list of accountId present in appTwoLog but not in appOneLog&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;sourcetype="appOneLog" OR sourcetype="appTwoLog" | stats values(sourcetype) as st by accountId | where mvcount(st)=1 and mvindex(st,0)="appTwoLog"
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Tue, 14 Oct 2014 22:35:52 GMT</pubDate>
    <dc:creator>somesoni2</dc:creator>
    <dc:date>2014-10-14T22:35:52Z</dc:date>
    <item>
      <title>How to verify the data held in two apps is the same?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-verify-the-data-held-in-two-apps-is-the-same/m-p/162288#M32940</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I have a situation where i need to verify that the data held in two apps is the same.&lt;BR /&gt;
To perform this verification i am logging out the data for each account into two log files: appOneLog and appTwoLog.&lt;BR /&gt;
These logs contain the field accountId and some other data relating to the account.&lt;/P&gt;

&lt;P&gt;I'm trying to find all the accounIds that are present in appOne and not appTwo and vice versa.&lt;BR /&gt;
I have made various attempts at this which, i think, should work according to the splunk documentation.&lt;/P&gt;

&lt;P&gt;First of all, I tried to use the transaction command to pair up events from appOneLog and appTwoLog into transactions and match against any transaction that had less than 2 events i.e.:&lt;/P&gt;

&lt;P&gt;sourcetype="app*" | sort 0 str(accountId) | transaction accountId maxspan=10m maxpause=10m maxevents=2 | search eventcount&amp;lt;2&lt;/P&gt;

&lt;P&gt;but when checking the results of this query I found it to contain some events for accounts that were actually present in both sets of logs.&lt;/P&gt;

&lt;P&gt;I then tried to take a different approach by labelling each result from the appOneLog source with a present in appOne flag, creating a table and then performing a join on  a search over the appTwoLog source that labelled each event with a present in appTwo flag. After that I would match on any event that did not have both flags set i.e.:&lt;/P&gt;

&lt;P&gt;sourcetype="appOneLog" | eval presentInAppOne="Y" | table accountId presentInAppOne | join accountId type=outer [search sourcetype="appTwoLog" | eval presentInAppTwo= "Y" | table accountId presentInAppTwo ] | where (NOT (presentInAppOne="Y" AND presentInAppTwo="Y"))&lt;/P&gt;

&lt;P&gt;however, yet again, this returns some false positive results where the account actually is in both but is getting labelled as just being in appOne.&lt;/P&gt;

&lt;P&gt;Can you think of any reason why these false positive results are being returned?&lt;BR /&gt;
Or any alternative way of retrieving this information?&lt;/P&gt;

&lt;P&gt;An important thing to note here is that the number of events i am searching over is very large i.e. it can get up to just over 2,000,000 events.&lt;BR /&gt;
However, i have tried the above queries on a smaller subset of the results and still get the same problems.&lt;/P&gt;

&lt;P&gt;Thanks in advance.&lt;/P&gt;</description>
      <pubDate>Tue, 14 Oct 2014 09:38:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-verify-the-data-held-in-two-apps-is-the-same/m-p/162288#M32940</guid>
      <dc:creator>clack</dc:creator>
      <dc:date>2014-10-14T09:38:12Z</dc:date>
    </item>
    <item>
      <title>Re: How to verify the data held in two apps is the same?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-verify-the-data-held-in-two-apps-is-the-same/m-p/162289#M32941</link>
      <description>&lt;P&gt;Try these&lt;/P&gt;

&lt;P&gt;Get list of accountId which are NOT present in both the sourcetypes (present in either)&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;sourcetype="appOneLog" OR sourcetype="appTwoLog" | stats values(sourcetype) as st by accountId | where mvcount(st)=1
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Get list of accountId present in appOneLog but not in appTwoLog&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;sourcetype="appOneLog" OR sourcetype="appTwoLog" | stats values(sourcetype) as st by accountId | where mvcount(st)=1 and mvindex(st,0)="appOneLog"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Get list of accountId present in appTwoLog but not in appOneLog&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;sourcetype="appOneLog" OR sourcetype="appTwoLog" | stats values(sourcetype) as st by accountId | where mvcount(st)=1 and mvindex(st,0)="appTwoLog"
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 14 Oct 2014 22:35:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-verify-the-data-held-in-two-apps-is-the-same/m-p/162289#M32941</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2014-10-14T22:35:52Z</dc:date>
    </item>
    <item>
      <title>Re: How to verify the data held in two apps is the same?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-verify-the-data-held-in-two-apps-is-the-same/m-p/162290#M32942</link>
      <description>&lt;P&gt;Thanks, that is exactly what i was looking for and is also a lot more efficient then my previous attempts. I think they may have been hitting some memory constraints.&lt;/P&gt;</description>
      <pubDate>Wed, 15 Oct 2014 13:25:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-verify-the-data-held-in-two-apps-is-the-same/m-p/162290#M32942</guid>
      <dc:creator>clack</dc:creator>
      <dc:date>2014-10-15T13:25:47Z</dc:date>
    </item>
  </channel>
</rss>

