topic Re: How to efficiently show the difference between two fields from different sources in Splunk Search

How to efficiently show the difference between two fields from different sources

nathg123 — Fri, 02 Jul 2021 05:44:35 GMT

Hey All,

Here is my search

index=main event_simpleName=NeighborListIP4 OR event_simpleName=SensorHeartbeat
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC4>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC5>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC4>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC5>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC6>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| eval Combiner = mvappend('MAC1', 'MAC2', 'MAC3', 'MAC4', 'MAC5', 'MAC6')
| mvexpand Combiner
| dedup Combiner
| table Combiner

I want to show what is in the Combiner field but not present within the MAC field only inside event_simpleName=SensorHeartbeat MAC=*

However both event_simpleName=NeighborListIP4 and event_simpleName=SensorHeartbeat contain the field name MAC.

Not sure what is the most efficient way of doing this is, I was attempting to use diff command however no luck.

Any help would be much appreciated!

Thanks

Re: How to efficiently show the difference between two fields from different sources

kamlesh_vaghela — Fri, 02 Jul 2021 06:05:23 GMT

@nathg123

Can you please share some events and the expectations from that samples?

Re: How to efficiently show the difference between two fields from different sources

nathg123 — Fri, 02 Jul 2021 06:24:54 GMT

@kamlesh_vaghela
I have the field "Combiner" within event_simpleName=NeighborListIP4
I have the field "MAC" within event_simpleName=SensorHeartbeat

Both fields contains MAC address's, I want to output what's in Combiner but not in MAC.

However event_simpleName=NeighborListIP4 also has the field MAC, which I want to completely disregard.

Sorry its difficult to explain, I hope this clears it up!

event_simpleName=NeighborListIP4 Combiner	event_simpleName=SensorHeartbeat MAC
1	4	Give me value of Combiner
4	4	Don't give me the value
5	7	Give me value of Combiner

Re: How to efficiently show the difference between two fields from different sources

kamlesh_vaghela — Fri, 02 Jul 2021 06:56:19 GMT

@nathg123

Yes it's difficult. let me share what I've tried. I'm not what search you design in earlier post. But can you please try this?

My Sample Search :

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.