https://community.splunk.com/t5/Splunk-Search/Comparing-2-results-and-showing-difference/m-p/540496#M152916 <P>Thanks.&nbsp; I neglected to use "index OR index" as an an option.&nbsp; I will definitely remove fields as the real data has a lot more data in it.&nbsp;&nbsp;</P> Fri, 19 Feb 2021 08:42:56 GMT willadams 2021-02-19T08:42:56Z https://community.splunk.com/t5/Splunk-Search/Comparing-2-results-and-showing-difference/m-p/540478#M152913 <P>My scenario is that I am trying to alert in the event where a user has been provided to an application <STRONG>but</STRONG> that same user wasn't added to an Active Directory group .&nbsp; So I have the following 2 indexes that provide me the information</P><P><STRONG>Application Access&nbsp;</STRONG>is in "index=myapp"</P><P><STRONG>Active Directory</STRONG> is in the "index=ad"</P><P>My search for a new user being given access to the application is something such as</P><P>&nbsp;</P><LI-CODE lang="markup">index=myapp Operation=Creation user_object="user*@mydomain.com"</LI-CODE><P>&nbsp;</P><P>My search for a user being added to an Active Directory group is</P><P>&nbsp;</P><LI-CODE lang="markup">index=ad EventCode=4728 Group_Name="myapp_users"</LI-CODE><P>&nbsp;</P><P>I have tried the following searches that provide me with data but I can't figure out the next step to show where my objective is met (i.e. where the user didn't get added to the group but was given access to the app).&nbsp;&nbsp;</P><P>&nbsp;</P><P><STRONG>First Search&nbsp;</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">index=myapp Operation=Creation user_object="user*@mydomain.com" | dedup RID | eval dest_user=split(user_object,"@") | eval extracteduser=mvindex(dest_user,0) | join type=inner extracteduser [search index=ad EventCode=4728 | rex field=user "^(?extracteduser&gt;[^\,]+)" | eval extracteduser=split(extracteduser,"=") | eval extracteduser=mvindex(extracteduser,1) | fields Group_Name, extracteduser]</LI-CODE><P>&nbsp;</P><P>In my example I will get 3 returned results.&nbsp; USERA which was added to the application AND was added as a member to the AD group; USERB which was added to the application AND was added as a member to the AD group; and USERC which was added to the application but NOT added as a member to the AD group (myapp_users).&nbsp; The problem becomes that in the results that are returned I see</P><P>For the event returned for USERA and USERC, I see</P><P>&nbsp;</P><LI-CODE lang="markup">Operation=Create user_object=USERA extracteduser=USERA Operation=Create user_object=USERB extracteduser=USERA</LI-CODE><P>&nbsp;</P><P>however for the USERC event, I see</P><P>&nbsp;</P><LI-CODE lang="markup">Operation=Create user_object=USERC extracteduser=USERA</LI-CODE><P>&nbsp;</P><P>so I am getting the wrong extracteduser for the USERC event (no doubt because of the join).&nbsp; I have then abandoned the join and moved to a multi-search</P><P><STRONG>Second Search&nbsp;</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">| multisearch [search index=myapp Operation=Creation user_object="user*@mydomain.com" | rename user_object as app_newuser] [search index=ad EventCode=4728" Group_Name="myapp_users" | rename user AS adperm_user] | rex field=adperm_user "^(?&lt;extracteduser&gt;[^\,]+)" | rex field=extracteduser "(?&lt;CNAttrib&gt;CN=(?&lt;ad_user&gt;.+))" | eval app_newuser=split(app_newuser,"@") | eval app_newuser=mvindex(app_newuser,0) | eval app_newuser=lower(app_newuser) | eval ad_user=lower(ad_user)</LI-CODE><P>&nbsp;</P><P>This gives me 2 fields that I now need to compare</P><P>ad_user shows USERA and USERB &lt;-- these users were added to the AD group AND the app<BR />app_newuser shows USERA, USERB, and USERC &lt;-- these 3 users were added to the app</P><P>&nbsp;</P><P>The result that I want in the end is to only show USERC as that was not a member of the AD group.&nbsp; I have tried using something like the following but come up blank.</P><P>&nbsp;</P><LI-CODE lang="markup">| where NOT app_newuser = ad_user | search NOT app_newuser = ad_user</LI-CODE><P>&nbsp;</P><P>I have probably made this more complicated than it needs to be, but am stuck now.</P> Fri, 19 Feb 2021 07:20:35 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-2-results-and-showing-difference/m-p/540478#M152913 willadams 2021-02-19T07:20:35Z https://community.splunk.com/t5/Splunk-Search/Comparing-2-results-and-showing-difference/m-p/540487#M152914 <P>Try something like this</P><LI-CODE lang="markup">(index=myapp AND Operation=Creation AND user_object="user*@mydomain.com") OR (index=ad AND EventCode=4728" AND Group_Name="myapp_users") | rename user_object as app_newuser | rename user AS adperm_user | rex field=adperm_user "^(?&lt;extracteduser&gt;[^\,]+)" | rex field=extracteduser "(?&lt;CNAttrib&gt;CN=(?&lt;user&gt;.+))" | eval app_newuser=split(app_newuser,"@") | eval user=mvindex(app_newuser,0) | eval user=lower(user) | stats values(*) as * by user | fillnull value="NA" Group_Name | where Group_Name="NA"</LI-CODE><P>Essentially, extract the user from whichever field it appears in, then "join" with stats, finally determine which users don't have an entry in AD</P><P>You may need to play around with field names depending on your actually data e.g. you might want to remove fields you are not interested in before the stats values(*)</P> Fri, 19 Feb 2021 08:06:15 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-2-results-and-showing-difference/m-p/540487#M152914 ITWhisperer 2021-02-19T08:06:15Z https://community.splunk.com/t5/Splunk-Search/Comparing-2-results-and-showing-difference/m-p/540496#M152916 <P>Thanks.&nbsp; I neglected to use "index OR index" as an an option.&nbsp; I will definitely remove fields as the real data has a lot more data in it.&nbsp;&nbsp;</P> Fri, 19 Feb 2021 08:42:56 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-2-results-and-showing-difference/m-p/540496#M152916 willadams 2021-02-19T08:42:56Z