topic Re: Compare Two Fields with different Names on different Index in Splunk Enterprise Security

Compare Two Fields with different Names on different Index

mklhs — Sun, 21 Jul 2019 13:22:07 GMT

Hello Guys,

i have 2 Index index a and index b
on index a i have a field called nachrichtId
on index b i have a field called originalId
this both fields have the Same string (Value)

i want to write now a Search where i can found out if i have some nachrichtId events on Index a but no originalId on index b.

I want to find out if i have some problems with my Events or if i have a gap between this 2 Indexes

can anyone help me please Thank you 🙂

Re: Compare Two Fields with different Names on different Index

DavidHourani — Sun, 21 Jul 2019 13:58:26 GMT

Hi @mklhs,

If you're value is already in a field lets call it field_value you can run a search as follows :

index= nachrichtId OR index=originalId
| stats dc(index) as condition by field_value
| where condition<2

If the value is not extracted and its the whole event you wish to compare then you can use the _raw field:

index= nachrichtId OR index=originalId
| stats dc(index) as condition by _raw
| where condition<2

Let me know if that helps.

Cheers,
David

Re: Compare Two Fields with different Names on different Index

mklhs — Sun, 21 Jul 2019 14:07:22 GMT

Thank for your Answer but i dont know if this is right for me

I have 2 indexes
in index 1 i have an event with a field named Nachrichtentid
this field has the value foobar
in index 2 i have an event with a field named OriginalId
this field also has the value foobar

I want to find out which events are not forwarded by index 1 and index 2, so where events are missing here. In both indexes the events have only these 2 fields as unique value.

Re: Compare Two Fields with different Names on different Index

DavidHourani — Sun, 21 Jul 2019 14:20:16 GMT

First you need to make sure that this ID has the same name in both indexes to make it easier to join without using the join command. So first create an alias, call it joinID or something. Then run the search below :

 index=index1 OR index=index2
 | stats dc(index) as condition by joinID
 | where condition<2

This will fetch data from both indexes and see which ID is in less than 2 indexes.

If you also wish to know which index has the missing event, you can run the following:

 index=index1 OR index=index2
 | stats dc(index) as condition, values(index) as index by joinID
 | where condition<2

Re: Compare Two Fields with different Names on different Index

mklhs — Sun, 21 Jul 2019 14:42:46 GMT

Thats works for me Thank you for your Help

Re: Compare Two Fields with different Names on different Index

DavidHourani — Sun, 21 Jul 2019 14:52:05 GMT

you're welcome !