https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682941#M233271 <P>Hello <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,</P><P>Thank for your quick response, truly appreciate it. But it's not working giving the entire events of source type&nbsp;<SPAN>accountA</SPAN></P><P>&nbsp;</P> Wed, 03 Apr 2024 03:25:17 GMT SplunkDash 2024-04-03T03:25:17Z https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682905#M233251 <P>Hello,</P><P>How do I compare 2 source types within the same index and find the Gap. For Example: index=compare sourcetype=accountA and sourcetype=accountB; we have some account info in accountA but not in&nbsp;accountB and objective is to find that gap.</P><P>&nbsp;</P><P><STRONG>sourcetypeA</STRONG></P><P>accid&nbsp; &nbsp;nameA&nbsp; addressA cellA</P><P>002&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;test1&nbsp; &nbsp;tadd1&nbsp; &nbsp; 1234</P><P>003&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;test2&nbsp; &nbsp; tadd2&nbsp; &nbsp; 1256</P><P>003&nbsp; &nbsp; &nbsp; test2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tadd2&nbsp; &nbsp; 5674</P><P>004&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;test3&nbsp; &nbsp; &nbsp;tadd3&nbsp; &nbsp;2345</P><P>005&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;test4&nbsp; &nbsp; &nbsp; tadd4&nbsp; 4567</P><P>006&nbsp; &nbsp; &nbsp; &nbsp; test5&nbsp; &nbsp; &nbsp; tadd5&nbsp; &nbsp;7800</P><P>006&nbsp; &nbsp; test5&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tadd5&nbsp; &nbsp;9900</P><P>&nbsp;</P><P><STRONG>sourcetypeB</STRONG></P><P>accid&nbsp; &nbsp;nameB&nbsp; addressB cellB</P><P>002&nbsp; &nbsp; &nbsp; &nbsp;test1&nbsp; &nbsp; &nbsp; &nbsp; tadd1&nbsp; &nbsp; 1234</P><P>003&nbsp; &nbsp; &nbsp; test2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tadd2&nbsp; &nbsp; 5674</P><P>004&nbsp; &nbsp; &nbsp;test3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tadd3&nbsp; &nbsp;2345</P><P>005&nbsp; &nbsp; &nbsp;test4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tadd3&nbsp; 4567</P><P>006&nbsp; &nbsp; test5&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tadd5&nbsp; &nbsp;9900</P><P>&nbsp;</P><P><STRONG>Output will be:</STRONG></P><P>003&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;test2&nbsp; &nbsp; tadd2&nbsp; &nbsp; 1256</P><P>006&nbsp; &nbsp; &nbsp; &nbsp; test5&nbsp; &nbsp; &nbsp; tadd5&nbsp; &nbsp;7800</P><P>&nbsp;</P><P>Any Recommendation will be highly appreciated.</P><P>&nbsp;</P> Tue, 02 Apr 2024 21:35:30 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682905#M233251 SplunkDash 2024-04-02T21:35:30Z https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682907#M233253 <P>Try something like this</P><LI-CODE lang="markup">index=compare sourcetype="accountA" OR sourcetype="accountB" | rename nameB as nameA, addressB as addressA, cellB as cellA | eventstats count by accid nameA addressA cellA | where count==1</LI-CODE> Tue, 02 Apr 2024 22:21:36 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682907#M233253 ITWhisperer 2024-04-02T22:21:36Z https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682941#M233271 <P>Hello <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,</P><P>Thank for your quick response, truly appreciate it. But it's not working giving the entire events of source type&nbsp;<SPAN>accountA</SPAN></P><P>&nbsp;</P> Wed, 03 Apr 2024 03:25:17 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682941#M233271 SplunkDash 2024-04-03T03:25:17Z https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682976#M233280 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234909">@SplunkDash</a>, Can you please check below -&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="accid,nameA,addressA,cellA 002,test1,tadd1,1234 003,test2,tadd2,1256 003,test2,tadd2,5674 004,test3,tadd3,2345 005,test4,tadd4,4567 006,test5,tadd5,7800 006,test5,tadd5,9900" | multikv forceheader=1 | eval sourcetype="sourcetypeA" | append [| makeresults | eval _raw="accid,nameB,addressB,cellB 002,test1,tadd1,1234 003,test2,tadd2,5674 004,test3,tadd3,2345 005,test4,tadd3,4567 006,test5,tadd5,9900" | multikv forceheader=1 | eval sourcetype="sourcetypeB" ] | kv | stats values(*) as * by accid | where mvcount(nameA) != mvcount(nameB) OR mvcount(addressA) != mvcount(addressB) OR mvcount(cellA) != mvcount(cellB)</LI-CODE><P>&nbsp;</P><P>Please let me know if you have any questions for the above.</P><P>Please accept the solution and hit Karma, if this helps!</P> Wed, 03 Apr 2024 08:09:44 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682976#M233280 meetmshah 2024-04-03T08:09:44Z https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682993#M233282 <P>Try with coalesce</P><LI-CODE lang="markup">| eval nameA=coalesce(nameA, nameB), addressA=coalesce(addressA, addressB), cellA=coalesce(cellA, cellB) | eventstats count by accid nameA addressA cellA | where count==1</LI-CODE> Wed, 03 Apr 2024 09:01:47 GMT https://community.splunk.com/t5/Splunk-Search/Compare-2-source-types-within-the-same-index-and-find-the-Gap/m-p/682993#M233282 ITWhisperer 2024-04-03T09:01:47Z