topic Re: How do you compare multiple related fields in one search? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-related-fields-in-one-search/m-p/82667#M20989 <P>Yes, if I understand properly.</P> <P>Join all events about a single node with a transaction, then each transaction will have all the values.</P> <PRE><CODE> ...| transaction some_node_id_field ... </CODE></PRE> <P>from there, there are many things you can do -- compare particular nodes like this:</P> <PRE><CODE> | diff pos1=1 pos2=2 enables </CODE></PRE> <P>get top combinations...</P> <PRE><CODE> | top audit, enables </CODE></PRE> <P>cluster nodes to similar nodes...</P> <PRE><CODE> | cluster </CODE></PRE> Tue, 11 Jan 2011 04:48:26 GMT carasso 2011-01-11T04:48:26Z How do you compare multiple related fields in one search? https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-related-fields-in-one-search/m-p/82666#M20988 <P>I'd like to compare the configuration of several nodes using a single search. Each node has multiple keys expressed as one key value pair per event i.e.</P> <P>timestamp audit=true<BR /> timestamp enabled=true</P> <P>Is there a way to compare all the keys against each other and report deltas?</P> <BLOCKQUOTE> <BLOCKQUOTE> <P>I've updated the quested to ensure it's correctly formatted.</P> </BLOCKQUOTE> </BLOCKQUOTE> Wed, 03 Nov 2010 19:55:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-related-fields-in-one-search/m-p/82666#M20988 Marinus 2010-11-03T19:55:13Z Re: How do you compare multiple related fields in one search? https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-related-fields-in-one-search/m-p/82667#M20989 <P>Yes, if I understand properly.</P> <P>Join all events about a single node with a transaction, then each transaction will have all the values.</P> <PRE><CODE> ...| transaction some_node_id_field ... </CODE></PRE> <P>from there, there are many things you can do -- compare particular nodes like this:</P> <PRE><CODE> | diff pos1=1 pos2=2 enables </CODE></PRE> <P>get top combinations...</P> <PRE><CODE> | top audit, enables </CODE></PRE> <P>cluster nodes to similar nodes...</P> <PRE><CODE> | cluster </CODE></PRE> Tue, 11 Jan 2011 04:48:26 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-related-fields-in-one-search/m-p/82667#M20989 carasso 2011-01-11T04:48:26Z