topic Re: How to find the difference of two query results? in Splunk Search

How to find the difference of two query results?

pench2k19 — Mon, 22 Apr 2019 17:50:30 GMT

Hi team,

I have two queries as follows

query1:

|inputlookup  abc.csv |table file  sla_time

query2:

index=xxx   source=yyyy |table file2

file2 values are subset of file values. I want to print the difference between the file and file2 fields along with the sla_time from the first query.

Can you help me here

@jkat54 @vnravikumar

Re: How to find the difference of two query results?

somesoni2 — Mon, 22 Apr 2019 18:06:17 GMT

Give this a try (giving list of file and corresponding sla_time from lookup abc.csv, which doesn't have a matching row in the search)

index=xxx source=yyyy |stats count by file2  | rename file2 as file
| append [|inputlookup abc.csv |table file sla_time]
| stats values(sla_time) as sla_time values(count) as count by file
| where isnull(count)

Re: How to find the difference of two query results?

pench2k19 — Tue, 23 Apr 2019 08:36:59 GMT

No luck @somesoni2..

Re: How to find the difference of two query results?

VatsalJagani — Tue, 23 Apr 2019 13:37:43 GMT

Hi @pench2k19,
You can use set difference for this purpose. This is similar to set in normal programming language or mathematics so this is even easy to understood. At the end use lookup command to get sla_time field.

| set diff [|inputlookup abc.csv |table file] [index=xxx source=yyyy | rename file2 as file|table file] | lookup abc.csv file output sla_time

Hope this helps!!!