https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/599217#M208603 <P>You could use stats values(*) as * by key field and then look for mvcount()s greater than 1</P> Wed, 25 May 2022 06:28:14 GMT ITWhisperer 2022-05-25T06:28:14Z https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/598634#M208449 <P>Hi Team.<BR /><BR />I have a big ol search that tables a bunch of resource usage data. Now i smack and outputcsv on that badboy, and schedule it to run once a month.<BR /><BR />Before it runs next month i would like to run the search again , drag in the old search with inputcsv and then compare the two, and maybe only list the changes (And maybe how much it changes?)</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">(index="redacted" OR index="redacted2") EventCode=1011 | rex field=Message "\W(?&lt;ServerName&gt;\S+)\s\w+\W(?&lt;PowerState&gt;\S+)\s\w+\W(?&lt;CpuCount&gt;\S+)\s\w+\W(?&lt;CoresPerSocket&gt;\S+)\s\w+\W(?&lt;GuestHostName&gt;\S+)(:)(?&lt;GuestOS&gt;.+)(MemoryMB)\W(?&lt;MemoryMB&gt;\S+)\s\w+\W(?&lt;ResourcePool&gt;.+)(Version)\W(?&lt;Version&gt;\w+)\s\w+\W(?&lt;UsedSpaceGB&gt;\S+)\s\w+\W(?&lt;ProvisionedSpaceGB&gt;\S+)\s\w+\W(?&lt;VMHost&gt;\S+)\s\w+\W(?&lt;Folder&gt;.+)" | eval UsedSpaceGB = round(UsedSpaceGB,2) | eval ProvisionedSpaceGB = round(ProvisionedSpaceGB,2) | search VMHost="***" | table ServerName PowerState CpuCount CoresPerSocket GuestHostName GuestOS MemoryMB ResourcePool Version UsedSpaceGB ProvisionedSpaceGB VMHost Folder | dedup ServerName | search ServerName="*" | search VMHost="*" PowerState="*" ResourcePool="redacted "| outputcsv redacted_filename.csv</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><BR />New search: inputcsv redacted_filename.csv lists the old search just fine, except it sorted the tablenames alphabetically, but whatever.<BR /><BR />Is there an easy way to compare the two, or will i have to extract all fields and compare manually?</P> Fri, 20 May 2022 15:28:26 GMT https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/598634#M208449 michaelnorup 2022-05-20T15:28:26Z https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/599212#M208601 <P>Anybody with an idea for a quicker way to do it?</P> Wed, 25 May 2022 06:22:11 GMT https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/599212#M208601 michaelnorup 2022-05-25T06:22:11Z https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/599217#M208603 <P>You could use stats values(*) as * by key field and then look for mvcount()s greater than 1</P> Wed, 25 May 2022 06:28:14 GMT https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/599217#M208603 ITWhisperer 2022-05-25T06:28:14Z https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/599222#M208606 <P>Hey ITWhisperer, thanks for replying.<BR /><BR />Think you could spell it out for me? <span class="lia-unicode-emoji" title=":neutral_face:">😐</span></P> Wed, 25 May 2022 06:37:07 GMT https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/599222#M208606 michaelnorup 2022-05-25T06:37:07Z https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/599225#M208608 <P>Try something like this</P><LI-CODE lang="markup">your search (without outputlookup) | inputlookup redacted_filename.csv | stats values(*) as * by ServerName | foreach * [| eval different=if(mvcount(&lt;&lt;FIELD&gt;&gt;) &gt; 1, "true", null())] | where different="true" </LI-CODE> Wed, 25 May 2022 06:52:54 GMT https://community.splunk.com/t5/Splunk-Search/Help-comparing-outputcsv-to-inputcsv/m-p/599225#M208608 ITWhisperer 2022-05-25T06:52:54Z