https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552494#M156824 <P>Files are indexed through inputs.cong .&nbsp;</P><P>Files differs as.. example file1 indexed today has 1event&nbsp; ZC_01;11;13;30 and when updated and indexed it has 2 events&nbsp;ZC_01;11;13;30<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;ZC_01;11;13;29</P><P>i have to display the result as...&nbsp;&nbsp;&nbsp;ZC_01;11;13;29 this is the newly added data in the updated file1.</P><P>&nbsp;</P> Fri, 21 May 2021 05:50:50 GMT akankshayadav 2021-05-21T05:50:50Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552488#M156821 <P>I have a file which is being indexed(say today) and then again indexed after updating(say tomorrow). I have to compare the events of the two versions and display the event(s) which is present in the&nbsp; new one but not in old or vice versa. Can any help?</P> Fri, 21 May 2021 04:35:14 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552488#M156821 akankshayadav 2021-05-21T04:35:14Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552489#M156822 <P>How is the file indexed? How do the events differ from day to day? How many events per file when indexed? What else can you say about the indexing process?</P> Fri, 21 May 2021 05:29:41 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552489#M156822 ITWhisperer 2021-05-21T05:29:41Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552494#M156824 <P>Files are indexed through inputs.cong .&nbsp;</P><P>Files differs as.. example file1 indexed today has 1event&nbsp; ZC_01;11;13;30 and when updated and indexed it has 2 events&nbsp;ZC_01;11;13;30<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;ZC_01;11;13;29</P><P>i have to display the result as...&nbsp;&nbsp;&nbsp;ZC_01;11;13;29 this is the newly added data in the updated file1.</P><P>&nbsp;</P> Fri, 21 May 2021 05:50:50 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552494#M156824 akankshayadav 2021-05-21T05:50:50Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552501#M156828 <P>Do the events from the two different days have different timestamps? Do events from the first indexing also appear in the second indexing (just with different timestamps)?</P> Fri, 21 May 2021 06:22:43 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552501#M156828 ITWhisperer 2021-05-21T06:22:43Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552504#M156829 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="akankshayadav_0-1621578250200.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14254iBAA153AB25ABAE2F/image-size/medium?v=v2&amp;px=400" role="button" title="akankshayadav_0-1621578250200.png" alt="akankshayadav_0-1621578250200.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="akankshayadav_1-1621578348703.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14255iCF5B3846B470ADB3/image-size/medium?v=v2&amp;px=400" role="button" title="akankshayadav_1-1621578348703.png" alt="akankshayadav_1-1621578348703.png" /></span></P><P>&nbsp;</P><P>This image can help you understand the scenario.&nbsp;</P><P>&nbsp;</P> Fri, 21 May 2021 06:26:00 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552504#M156829 akankshayadav 2021-05-21T06:26:00Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552507#M156831 <P>How about something like this</P><LI-CODE lang="markup">search 1 | append [search 2] | eventstats count by _raw | where count=1</LI-CODE> Fri, 21 May 2021 06:40:24 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552507#M156831 ITWhisperer 2021-05-21T06:40:24Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552508#M156832 <P>Actually sir, i am a very beginner. Can you&nbsp; elaborate the query in an clear way. The above one didn't work. What should i write in place of search 1 and 2?</P> Fri, 21 May 2021 06:46:33 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552508#M156832 akankshayadav 2021-05-21T06:46:33Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552514#M156834 <P>You might not need two searches if both times the file is indexed they go into the same index</P><LI-CODE lang="markup">index="compindex" | eventstats count by _raw | where count=1</LI-CODE><P>The problem with defining your question with non-specific or fabricated examples is that the answers are often just as vague and it takes longer to resolve, but this is the price we pay for anonymisation&nbsp;<span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span></P> Fri, 21 May 2021 07:03:40 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552514#M156834 ITWhisperer 2021-05-21T07:03:40Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552515#M156835 <P>i did this one and got the resutl. thank u sir. and one more help.. how to display it as a table with columns&nbsp;</P><P>source&nbsp; time(when file was indexed latest)&nbsp; OnlyThe NewData&nbsp;</P> Fri, 21 May 2021 07:07:53 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552515#M156835 akankshayadav 2021-05-21T07:07:53Z https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552517#M156837 <LI-CODE lang="markup">index="compindex" | eventstats count by _raw | where count=1 | table source _indextime _raw</LI-CODE> Fri, 21 May 2021 07:16:10 GMT https://community.splunk.com/t5/Splunk-Search/File-Comparision/m-p/552517#M156837 ITWhisperer 2021-05-21T07:16:10Z