https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-find-out-events-that-have-field-values/m-p/641774#M222313 <P>I have two lookups: one is the scan results from the current week and the other is historical lookup of scan results from the weeks prior. Each event is the scan results for a host (fields DNS IP). I have a field called called Host_Auth that can have of the following field values:</P><UL><LI>Windows Successful</LI><LI>Windows Failure</LI><LI>Unix Failed</LI><LI>Unix Successful</LI><LI>Unix Timeout</LI><LI>Windows Not Attempted&nbsp;</LI><LI>Unix Not Attempted&nbsp;</LI><LI>Unknown</LI></UL><P>I would like to create a search where the first lookup is compered against the second lookup and return events where the Host_Auth field value is is different.&nbsp;</P><P>I tried a join type=left Host_Auth but that didn't quite work&nbsp;</P> Fri, 28 Apr 2023 16:31:36 GMT atebysandwich 2023-04-28T16:31:36Z https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-find-out-events-that-have-field-values/m-p/641774#M222313 <P>I have two lookups: one is the scan results from the current week and the other is historical lookup of scan results from the weeks prior. Each event is the scan results for a host (fields DNS IP). I have a field called called Host_Auth that can have of the following field values:</P><UL><LI>Windows Successful</LI><LI>Windows Failure</LI><LI>Unix Failed</LI><LI>Unix Successful</LI><LI>Unix Timeout</LI><LI>Windows Not Attempted&nbsp;</LI><LI>Unix Not Attempted&nbsp;</LI><LI>Unknown</LI></UL><P>I would like to create a search where the first lookup is compered against the second lookup and return events where the Host_Auth field value is is different.&nbsp;</P><P>I tried a join type=left Host_Auth but that didn't quite work&nbsp;</P> Fri, 28 Apr 2023 16:31:36 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-find-out-events-that-have-field-values/m-p/641774#M222313 atebysandwich 2023-04-28T16:31:36Z https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-find-out-events-that-have-field-values/m-p/641783#M222315 <P>The <FONT face="courier new,courier">join</FONT> command pairs events with the same values of the specified field.&nbsp; It cannot be used to find differences.</P><P>To find differences, join events using another field (DNS, perhaps) then filter on the Host_Auth field.</P><LI-CODE lang="markup">&lt;&lt;search 1&gt;&gt; | rename Host_Auth as Host_Auth_1 | join type=left DNS [ &lt;&lt;search 2&gt;&gt; | rename Host_Auth as Host_Auth_2 ] | where Host_Auth_1 != Host_Auth_2</LI-CODE><P>&nbsp;My standard disclaimer applies: <FONT face="courier new,courier">join</FONT> is inefficient so consider using <FONT face="courier new,courier">append</FONT> or another method of combining results.</P> Fri, 28 Apr 2023 17:20:37 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-find-out-events-that-have-field-values/m-p/641783#M222315 richgalloway 2023-04-28T17:20:37Z https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-find-out-events-that-have-field-values/m-p/641805#M222327 <P>To build on&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>'s disclaimer<span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span>, here's a possible alternative</P><LI-CODE lang="markup">(&lt;&lt;sourcetype=sourcetyp1 search 1&gt;&gt;) OR (&lt;&lt;sourcetype=sourcetype2 search 2&gt;&gt;) ``` replace sourcetype with any field that differentiates search 1 from search 2 ``` | eventstats dc(sourcetype) as sourcetypes by DNS Host_Auth | where sourcetypes == 1</LI-CODE><P>&nbsp;</P> Fri, 28 Apr 2023 23:05:39 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-find-out-events-that-have-field-values/m-p/641805#M222327 yuanliu 2023-04-28T23:05:39Z https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-find-out-events-that-have-field-values/m-p/641881#M222355 <P>This worked exactly as I was hoping. I changed the join to be looking for IP rather than DNS.&nbsp;</P><P>Thank you for the help on this!</P> Mon, 01 May 2023 13:41:27 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-best-way-to-find-out-events-that-have-field-values/m-p/641881#M222355 atebysandwich 2023-05-01T13:41:27Z