https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-results-of-2-searches/m-p/655093#M226301 <P>You can perform a set operation on the two searches as illustrated. &nbsp;But a far more efficient method is to perform just one search and use <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions#mvmap.28.26lt.3Bmv.26gt.3B.2C.26lt.3Bexpression.26gt.3B.29" target="_blank" rel="noopener">mvmap</A>.</P><LI-CODE lang="markup">index=sampleindex source=samplesource (SUCCESS OR FAILURE) | rex field=data max_match=0 "\"SUCCESS\" \"ID:\s*(?&lt;success&gt;\d+)" | rex field=data max_match=0 "\"FAILURE\" \"ID:\s*(?&lt;failure&gt;\d+)" | eval failed = mvmap(failure, if(failure != success, failure, null()))</LI-CODE><P>(In SPL, equality test of a scalar and a vector iterates over the vector.) &nbsp;The field failed now contains all the failure IDs that is not found in success.</P> Mon, 21 Aug 2023 22:37:55 GMT yuanliu 2023-08-21T22:37:55Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-results-of-2-searches/m-p/655071#M226297 <P>I have splunk logs that are of 2 types, successes and failures. They contain 2 things:</P> <P>"SUCCESS" "ID: &lt;IDNumber&gt;"</P> <P>"FAILURE" "ID: &lt;IDNumber&gt;"</P> <P>&nbsp;</P> <P>My goal is to find IDs that are identified with failures that are not also identified with a success. So for the data:</P> <P>"SUCCESS" "ID: 0000", "FAILURE" "ID: 0000", "SUCCESS" "ID: 1111", "FAILURE" "ID: 2222", "SUCCESS" "ID: 3333", "FAILURE" "ID: 4444"</P> <P>the result would be the IDs 2222 and 4444</P> <P>&nbsp;</P> <P>My current search is:&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=sampleindex source=samplesource "SUCCESS" | rex field=_raw "ID: (?&lt;id1&gt;+)" | join [search index=sampleindex source=samplesource "FAILURE" | rex field=_raw "ID: (?&lt;id2&gt;+)"] | table id1, id2</LI-CODE> <P>&nbsp;</P> <P>&nbsp;I am able to perform each of these searches separately and output the ids, but when I combine them I cannot get the results of either id1 or id2, so I am not able to compare them</P> <P>&nbsp;</P> <P>Does anyone know how I can structure my search to achieve my final goal?</P> <P>&nbsp;</P> Mon, 21 Aug 2023 20:01:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-results-of-2-searches/m-p/655071#M226297 ckutach 2023-08-21T20:01:09Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-results-of-2-searches/m-p/655093#M226301 <P>You can perform a set operation on the two searches as illustrated. &nbsp;But a far more efficient method is to perform just one search and use <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/MultivalueEvalFunctions#mvmap.28.26lt.3Bmv.26gt.3B.2C.26lt.3Bexpression.26gt.3B.29" target="_blank" rel="noopener">mvmap</A>.</P><LI-CODE lang="markup">index=sampleindex source=samplesource (SUCCESS OR FAILURE) | rex field=data max_match=0 "\"SUCCESS\" \"ID:\s*(?&lt;success&gt;\d+)" | rex field=data max_match=0 "\"FAILURE\" \"ID:\s*(?&lt;failure&gt;\d+)" | eval failed = mvmap(failure, if(failure != success, failure, null()))</LI-CODE><P>(In SPL, equality test of a scalar and a vector iterates over the vector.) &nbsp;The field failed now contains all the failure IDs that is not found in success.</P> Mon, 21 Aug 2023 22:37:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-results-of-2-searches/m-p/655093#M226301 yuanliu 2023-08-21T22:37:55Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-results-of-2-searches/m-p/655099#M226305 <P>I am assuming that you will have 2 separate events, one for success and one for failure, so in that case, you'll need a slightly different version of&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901">@yuanliu</a>&nbsp;SPL</P><LI-CODE lang="markup">index=sampleindex source=samplesource (SUCCESS OR FAILURE) | rex field=data "\"(?&lt;status&gt;SUCCESS)\" \"ID:\s*(?&lt;id&gt;\d+)" | rex field=data "\"(?&lt;status&gt;FAILURE)\" \"ID:\s*(?&lt;id&gt;\d+)" | stats values(status) as status by id | where mvcount(status)=1 AND status="FAILURE"</LI-CODE><P>so the stats command combines all status values for the same id and then the where clause filters out only those ids where the status is FAILURE only</P> Tue, 22 Aug 2023 00:42:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-results-of-2-searches/m-p/655099#M226305 bowesmana 2023-08-22T00:42:05Z