https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339266#M100590 <P>Thanks for your answer. I need to keep those both environments separate. Thats why i wanted to make a lookup at one to compare it to the other environment. I'am new with Splunk so don't know how to do check if in "old" environment has the same data as in the "new" environment.</P> <P>Thanks </P> Tue, 31 Oct 2017 12:43:22 GMT AydinCan 2017-10-31T12:43:22Z https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339263#M100587 <P>Hallo splunk users,</P> <P>What is the best way to compare the same data in two different environments (producktion and lab) with outputlookup? </P> <P>thanks Aydin </P> Tue, 31 Oct 2017 09:23:59 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339263#M100587 AydinCan 2017-10-31T09:23:59Z https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339264#M100588 <P>Can you add some sample data from Prod and Lab (mask or anonymize any sensitive information before posting)?</P> <P>What is the type of data and also explain what are the type of differences you are trying to capture? Please add more details for community to assist you better.</P> Tue, 31 Oct 2017 10:01:06 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339264#M100588 niketn 2017-10-31T10:01:06Z https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339265#M100589 <P>Hi<BR /> why do you speak about "outputlookup"?</P> <P>At first you can ingest logs from both your environments and put them into one or two indexes:</P> <UL> <LI>probably you're not interested to maintain lab logs for the same time of production logs, so it could be better to put logs into two different indexes (e.g. my_prod and my_lab)</LI> <LI>then you can configure the same ingestion (sourcetypes) in bothe the environments so you can compare fields</LI> <LI><P>so you can put in the same search both the indexes and run something like this:</P> <P>index=my_prod OR index=my_lab<BR /> | chart count over field1 BY index<BR /> in this way you can compare the number of occurrances of field1 in both the environments.</P></LI> </UL> <P>If instead you want to compare values you can run something like this:</P> <PRE><CODE>index=my_prod OR index=mt_lab | eval field1_prod=(if index="my_prod", field1,""), field1_lab=(if index="my_lab", field1,"") | table _time field1_prod field1_lab </CODE></PRE> <P>in this way you can compare field1 values in both the environments.<BR /> Following the above methods you can performa other comparations.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 16:31:38 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339265#M100589 gcusello 2020-09-29T16:31:38Z https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339266#M100590 <P>Thanks for your answer. I need to keep those both environments separate. Thats why i wanted to make a lookup at one to compare it to the other environment. I'am new with Splunk so don't know how to do check if in "old" environment has the same data as in the "new" environment.</P> <P>Thanks </P> Tue, 31 Oct 2017 12:43:22 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339266#M100590 AydinCan 2017-10-31T12:43:22Z https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339267#M100591 <P>Hi AydinCan,<BR /> if you're satisfied by this answer, please accept or upvote it.<BR /> Bye.<BR /> Giuseppe</P> Tue, 31 Oct 2017 12:45:24 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-compare-data-in-two-different/m-p/339267#M100591 gcusello 2017-10-31T12:45:24Z