topic Comparing results from two searches in Splunk Enterprise Security

Comparing results from two searches

rupeshn — Wed, 04 Sep 2019 13:37:35 GMT

index="A" sourcetype=B action=Yes

| search NOT [ search index="A" sourcetype=B action="No" | fields User ] | stats count by User .

Here I'm trying to get user whose action is Yes. But whenever users get 'Yes' they get 'No' as well in 20% of cases at same time.
So I want those 80% users who are having action as only Yes.

Could you please help.

Re: Comparing results from two searches

rupeshn — Wed, 04 Sep 2019 13:39:22 GMT

When i run above query I'm getting results of both users i.e., action=Yes and action= No. I'mm not sure where this Query went wrong

Re: Comparing results from two searches

kmaron — Wed, 04 Sep 2019 14:22:19 GMT

Are you only going to have a single Yes and/or a single No for a user? So the most entries you would have for a single user is 2?

Re: Comparing results from two searches

solarboyz1 — Wed, 04 Sep 2019 14:36:53 GMT

So, you looking for users who only received one of the two actions?

Using a subsearch has it's limits:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Useasubsearch

You could accomplish something similar with the following:

index="A" sourcetype=B action=Yes  OR action=No
| stats dc(action) as action_count by User
| search action_count<2

Re: Comparing results from two searches

kmaron — Wed, 04 Sep 2019 14:39:59 GMT

That would also give you the No people.

But changing it to

 index="A" sourcetype=B action=Yes  OR action=No
 | stats dc(action) as action_count values(action) as action by User
 | search action_count<2 AND action=Yes

Would be only Yes's.

Re: Comparing results from two searches

solarboyz1 — Wed, 04 Sep 2019 14:46:17 GMT

good catch!

Re: Comparing results from two searches

rupeshn — Wed, 04 Sep 2019 15:24:09 GMT

I've tried the query posted by you. But it still gives both the users.

Re: Comparing results from two searches

rupeshn — Wed, 04 Sep 2019 15:25:09 GMT

@kmaron ,I've tried the query posted by you. But it still gives both the users.

Re: Comparing results from two searches

rupeshn — Wed, 04 Sep 2019 15:42:52 GMT

I mean users with both actions.

Re: Comparing results from two searches

kmaron — Wed, 04 Sep 2019 15:59:54 GMT

please share the output you got

Re: Comparing results from two searches

rupeshn — Sat, 07 Sep 2019 17:10:18 GMT

Hi kmaron,

I'm getting output but i believe the output that i'm getting is very less(less number of records) than what it should be.

Re: Comparing results from two searches

solarboyz1 — Mon, 09 Sep 2019 13:24:11 GMT

If you think the results are incorrect, you can break the search down and review the data:

index="A" sourcetype=B action=Yes  OR action=No
 | stats dc(action) as action_count, values(action) as action, by User

Will show all the results, you can sort by action_count, action, etc.. Look for anomalous values for action.