https://community.splunk.com/t5/Splunk-Search/How-to-compare-two-results-every-week-and-display-the/m-p/625971#M217581 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245096">@btluynk</a>,</P><P>always remember that Splunk isn't a database and the join command must be used only when you haven't any other solution because it's a very slow and resource consuming command.</P><P>Let me understand: you want to find the hostname in windows and in logsource, but if you use the condition checker=0, you always have results, what do you want really find: the list of hostanems every week?</P><P>Anyway, your original search can be done using stats in this way:</P><LI-CODE lang="markup">(index=windows_server source=AD_Enabled_Server) OR (index=logsource source="/root/xxx/aaa.txt") | stats dc(index) AS index_count values(index) AS index BY hostname | where index_count=1 AND index=windows</LI-CODE><P>&nbsp;If instead you want to find the hostname in windows that are also in logsource, you can use :</P><LI-CODE lang="markup">index=windows_server source=AD_Enabled_Server [ search index=logsource source="/root/xxx/aaa.txt") | fields hostname ]</LI-CODE><P>this search has only the limit of 50,000 results in the subsearch.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 05 Jan 2023 09:12:08 GMT gcusello 2023-01-05T09:12:08Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-two-results-every-week-and-display-the/m-p/625959#M217576 <P>Hi team,</P><P>I want to compare two results every week and display the differences from one index. And I want create Jira ticket if the results are different.</P><P>Thanks</P> Thu, 05 Jan 2023 08:35:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-two-results-every-week-and-display-the/m-p/625959#M217576 btluynk 2023-01-05T08:35:22Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-two-results-every-week-and-display-the/m-p/625965#M217578 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245096">@btluynk</a>,</P><P>if you already created the search, please share it, otherwise, please share the sample data highlighting&nbsp; the fields to compare.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 05 Jan 2023 08:46:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-two-results-every-week-and-display-the/m-p/625965#M217578 gcusello 2023-01-05T08:46:00Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-two-results-every-week-and-display-the/m-p/625966#M217579 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a> ,</P><P>Thanks for your response, for example;</P><P>index=windows_server source=AD_Enabled_Server |dedup hostname|eval checker=0 |join type=outer hostname [search index=logsource source="/root/xxx/aaa.txt" |eval checker=1]|table hostname,checker|search checker=0</P><P>Every week this search runs and I get the results. But if the result is different, I want to create a structure like open a ticket.</P><P>Thanks</P> Thu, 05 Jan 2023 08:58:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-two-results-every-week-and-display-the/m-p/625966#M217579 btluynk 2023-01-05T08:58:15Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-two-results-every-week-and-display-the/m-p/625971#M217581 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/245096">@btluynk</a>,</P><P>always remember that Splunk isn't a database and the join command must be used only when you haven't any other solution because it's a very slow and resource consuming command.</P><P>Let me understand: you want to find the hostname in windows and in logsource, but if you use the condition checker=0, you always have results, what do you want really find: the list of hostanems every week?</P><P>Anyway, your original search can be done using stats in this way:</P><LI-CODE lang="markup">(index=windows_server source=AD_Enabled_Server) OR (index=logsource source="/root/xxx/aaa.txt") | stats dc(index) AS index_count values(index) AS index BY hostname | where index_count=1 AND index=windows</LI-CODE><P>&nbsp;If instead you want to find the hostname in windows that are also in logsource, you can use :</P><LI-CODE lang="markup">index=windows_server source=AD_Enabled_Server [ search index=logsource source="/root/xxx/aaa.txt") | fields hostname ]</LI-CODE><P>this search has only the limit of 50,000 results in the subsearch.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 05 Jan 2023 09:12:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-two-results-every-week-and-display-the/m-p/625971#M217581 gcusello 2023-01-05T09:12:08Z