https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-ip-s-from-search1-in-search2-and-find-the/m-p/598497#M208406 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49826">@kpavan</a>,</P><P>you should explore the dc option in stats, something like this:</P><LI-CODE lang="markup">(index=index1) OR (index=index2) | eval ip=if(index=index1,ip_1,ip_2) | stats dc(index) AS dc_index values(index) AS index BY ip | eval status=case(dc_index=2,"both indexes",dc_index=1 AND index=index1,"only index1",dc_index=1 AND index=index2,"only index2") | stats dc(ip) AS count BY status</LI-CODE><P>In this way you can know if an Ip is present in both the indexes or only in one of them and you can make all the operations you want.</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Thu, 19 May 2022 13:48:32 GMT gcusello 2022-05-19T13:48:32Z https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-ip-s-from-search1-in-search2-and-find-the/m-p/598488#M208403 <P>Hi,</P> <P>am trying to find list of ip's from search1 which are missing in search2 and get all the ip from search1 and calculate the percentage of missing ip's. This will help to identify the number of ip's.</P> <P>&nbsp;</P> <P>Thanks in advance!</P> Thu, 19 May 2022 16:15:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-ip-s-from-search1-in-search2-and-find-the/m-p/598488#M208403 kpavan 2022-05-19T16:15:17Z https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-ip-s-from-search1-in-search2-and-find-the/m-p/598497#M208406 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49826">@kpavan</a>,</P><P>you should explore the dc option in stats, something like this:</P><LI-CODE lang="markup">(index=index1) OR (index=index2) | eval ip=if(index=index1,ip_1,ip_2) | stats dc(index) AS dc_index values(index) AS index BY ip | eval status=case(dc_index=2,"both indexes",dc_index=1 AND index=index1,"only index1",dc_index=1 AND index=index2,"only index2") | stats dc(ip) AS count BY status</LI-CODE><P>In this way you can know if an Ip is present in both the indexes or only in one of them and you can make all the operations you want.</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Thu, 19 May 2022 13:48:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-ip-s-from-search1-in-search2-and-find-the/m-p/598497#M208406 gcusello 2022-05-19T13:48:32Z https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-ip-s-from-search1-in-search2-and-find-the/m-p/598502#M208408 <P>Assuming ip occurs at most once in both searches</P><LI-CODE lang="markup">search1 | eval search=1 | append [search2 | eval search=-1] | stats sum(search) as search by ip | stats count(eval(search==1)) as ip1 count | eval percent=100*ip1/count</LI-CODE> Thu, 19 May 2022 13:55:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-ip-s-from-search1-in-search2-and-find-the/m-p/598502#M208408 ITWhisperer 2022-05-19T13:55:19Z https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-ip-s-from-search1-in-search2-and-find-the/m-p/598534#M208417 <P>Thanks for both response!</P><P>&nbsp;</P><P>Meanwhile i was working different method like below, I got percentage results, wanted to confirm if this is correct way of doing it? or anything wrong in it.</P><P>(<BR />(index=compliance sourcetype=site1-ip ) OR<BR />(index=automation sourcetype=site2-asset))<BR />| eval ip=case(sourcetype="site1-ip", 'src.ip', sourcetype="site2-asset", ip )<BR />| eval te=if(sourcetype="site2-asset","yes","no")<BR />| eval ta=if(sourcetype="site1-ip","yes","no")<BR />| stats max(eval(if(te="yes",1,0))) AS SCANNED max(eval(if(ta="yes",1,0))) AS CTA values(fqdn) as fqdn_ta values(resourceOwner) as ip.owner by ip<BR />| search (CTA=1)<BR />| stats count(eval( SCANNED &gt; 0)) AS tes, count(ip) as total<BR />| eval percent = round((tes/(total))*100,2)<BR /><BR /></P><P>Thanks again!</P> Thu, 19 May 2022 16:29:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-missing-ip-s-from-search1-in-search2-and-find-the/m-p/598534#M208417 kpavan 2022-05-19T16:29:46Z