https://community.splunk.com/t5/Splunk-Search/Comparing-differences-in-the-same-field-depending-on-the-row/m-p/684251#M233580 <LI-CODE lang="markup">| stats count by query</LI-CODE> Mon, 15 Apr 2024 14:35:40 GMT ITWhisperer 2024-04-15T14:35:40Z https://community.splunk.com/t5/Splunk-Search/Comparing-differences-in-the-same-field-depending-on-the-row/m-p/684237#M233571 <P>I'll try to explain it with a basic example. As an output of a stats command I have:<BR /><BR /></P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">detection</TD><TD width="50%">query</TD></TR><TR><TD width="50%">search1</TD><TD width="50%"><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">google.com</TD></TR><TR><TD width="100%">yahoo.com</TD></TR></TBODY></TABLE></TD></TR><TR><TD width="50%">search2</TD><TD width="50%"><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">google.com</TD></TR><TR><TD width="100%">bing.com</TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I want to get which queries are not being detected by both search1 and search 2. Or else, getting rid of the queries that are in both searches, either way work. Like ok, search1 is detecting yahoo.com whereas search2 isn't, and viceversa with bing.com<BR /><BR />I thought about grouping by query instead of by search,&nbsp; the problem is I have dozens or even hundreds of queries.<BR /><BR />Any thoughts? Cheers</P> Mon, 15 Apr 2024 12:28:34 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-differences-in-the-same-field-depending-on-the-row/m-p/684237#M233571 jo54 2024-04-15T12:28:34Z https://community.splunk.com/t5/Splunk-Search/Comparing-differences-in-the-same-field-depending-on-the-row/m-p/684251#M233580 <LI-CODE lang="markup">| stats count by query</LI-CODE> Mon, 15 Apr 2024 14:35:40 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-differences-in-the-same-field-depending-on-the-row/m-p/684251#M233580 ITWhisperer 2024-04-15T14:35:40Z https://community.splunk.com/t5/Splunk-Search/Comparing-differences-in-the-same-field-depending-on-the-row/m-p/684275#M233596 <P>You could stats count by query. Queries that are found by both detections will have count=2, while queries that are found by only one will have count=1. Then you can filter for count=1 to remove the hundreds of queries that are found by both detections.</P><LI-CODE lang="markup">| stats count by query | where count = 1</LI-CODE><P>&nbsp;</P> Mon, 15 Apr 2024 20:01:47 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-differences-in-the-same-field-depending-on-the-row/m-p/684275#M233596 marnall 2024-04-15T20:01:47Z