https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557468#M158323 <P>You will need to provide a little more information on the fields in your data you are looking to compare and what output you will expect to see at the end.</P><P>Can you provide an example?</P> Mon, 28 Jun 2021 21:36:50 GMT bowesmana 2021-06-28T21:36:50Z https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557467#M158322 <DIV>I have 2 data sets</DIV><DIV>&nbsp;</DIV><DIV>index=support source=sites earliest=-1d@d latest=-0d@d<BR />index=support source=sites earliest=-0d@d latest=now</DIV><DIV>&nbsp;</DIV><DIV><DIV>I want to pull out that data which is changed in data set 2 as compared to data set 1</DIV></DIV> Mon, 28 Jun 2021 21:25:27 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557467#M158322 ppanchal 2021-06-28T21:25:27Z https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557468#M158323 <P>You will need to provide a little more information on the fields in your data you are looking to compare and what output you will expect to see at the end.</P><P>Can you provide an example?</P> Mon, 28 Jun 2021 21:36:50 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557468#M158323 bowesmana 2021-06-28T21:36:50Z https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557473#M158325 <P>We have a field called Site_id which is a string.</P><P>Example:</P><P>Set 1 -&nbsp;Site id = a1, a2, a3</P><P>Set 2 -&nbsp;Site id = a2, a3, a4</P><P>My result should be Site id = a1, a4</P> Mon, 28 Jun 2021 21:48:30 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557473#M158325 ppanchal 2021-06-28T21:48:30Z https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557478#M158327 <P>Try this</P><LI-CODE lang="markup">(index=support source=sites earliest=-1d@d latest=-0d@d) OR (index=support source=sites earliest=-0d@d latest=now) | bin _time span=1d@d | stats count by _time Site_id | stats values(_time) as _time by Site_id | where mvcount(_time) = 1</LI-CODE><P>This groups the sites by date then counts the dates that site has been found and only looks for results where there is only one time value.</P><P>Hope this helps</P><P>&nbsp;</P> Mon, 28 Jun 2021 22:00:36 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557478#M158327 bowesmana 2021-06-28T22:00:36Z https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557680#M158381 <P>This did not work, I tried below,</P><P>(index=support source=sites SITE_ID=S028 AND SITE_ID=S056 earliest=-1d@d latest=-0d@d) OR (index=support source=sites SITE_ID=S028 AND SITE_ID=S056 AND SITE_ID=S10 earliest=-0d@d latest=now)<BR />| bin _time span=1d@d | stats count by _time SITE_ID | stats values(_time) as _time by SITE_ID | where mvcount(_time) = 1</P><P>It gives me 0 events/results. Can you please help?</P> Tue, 29 Jun 2021 20:13:16 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557680#M158381 ppanchal 2021-06-29T20:13:16Z https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557730#M158407 <P>Can you take out the 'where' clause, so you can see what results you get back. If you replace the where clause with&nbsp;</P><LI-CODE lang="markup">| eval date=strftime(_time, "%F")</LI-CODE><P>then you will get a date column, where it shows you the dates of data it has seen for those sites.</P><P>&nbsp;</P> Wed, 30 Jun 2021 02:00:28 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/557730#M158407 bowesmana 2021-06-30T02:00:28Z https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/558452#M158639 <P>No this will not help me. I have like 500-600 site IDs. I will have to go through the entire list to see the IDs are present for both the dates.</P><P>Any other solution?</P><P>I only want to find the sites ids that&nbsp; has only 1 occurrence.&nbsp;</P> Tue, 06 Jul 2021 16:43:39 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/558452#M158639 ppanchal 2021-07-06T16:43:39Z https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/558458#M158640 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/204504">@ppanchal</a>&nbsp;See if the below logic helps!!<BR /><BR /></P><LI-CODE lang="markup">| makeresults | eval site="1,2,3" | makemv site delim="," | mvexpand site | appendcols [| makeresults | eval site1="4,3,5" | makemv site1 delim="," | mvexpand site1] | eventstats values(site1) as site2 | eval val=if(in(site,site2),"YES","NO") ============================ index=support source=sites earliest=-1d@d latest=-0d@d | rename site as site1 | table site1 | appendcols [search index=support source=sites earliest=-0d@d latest=now | rename site as site2 | table site2] |eventstats values(site2) as site2_values | eval present_in_both=if(in(site1,site2_values),"YES","NO")</LI-CODE> Tue, 06 Jul 2021 17:45:30 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/558458#M158640 sanjeev543 2021-07-06T17:45:30Z https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/558997#M158808 <P>It shouldn't matter how many you have - the point is to see what your search is returning so the first line would be enough to investigate - it might be that your time constraints in the query are not working in your environment in that 'now' is not giving you any window between <A href="mailto:-0d@d" target="_blank">-0d@d</A></P><P>you could change the time constraints to</P><LI-CODE lang="markup">(index=support source=sites earliest=-2d@d latest=-1d@d) OR (index=support source=sites earliest=-1d@d latest=@d)</LI-CODE><P>which will compare two days ago to yesterday</P> Sun, 11 Jul 2021 23:10:53 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-datasets/m-p/558997#M158808 bowesmana 2021-07-11T23:10:53Z