https://community.splunk.com/t5/Splunk-Search/Difference-between-users/m-p/706597#M239105 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/270694">@JandrevdM</a>&nbsp;as your search is doing the same search twice just with a different user, you'd be better off just doing a single search and splitting by user, e.g. - similar to your existing search</P><LI-CODE lang="markup">index=db_assets sourcetype=assets_ad_users ($user1$ OR $user2$) | dedup displayName sAMAccountName memberOf | makemv delim="," memberOf | mvexpand memberOf | rex field=memberOf "CN=(?&lt;Group&gt;[^,]+)" | where Group!="" | stats values(Group) as Groups by user</LI-CODE><P>which will give you a user column and then a multivalue field with the list of groups</P><P>If you then want to automatically show the differences between the two users, you can following that with</P><LI-CODE lang="markup">| transpose 0 header_field=user | eval UniqueU1=mvmap(User1, if(User1!=User2,User1,null())) | eval UniqueU2=mvmap(User2, if(User2!=User1,User2,null())) | eval Common=mvmap(User1, if(User1=User2,User1,null()))</LI-CODE><P>and it will give you a list of groups unique to user 1, user 2 and the common groups.</P><P>However, your existing search could be more efficiently done with</P><LI-CODE lang="markup">index=db_assets sourcetype=assets_ad_users ($user1$ OR $user2$) | fields displayName sAMAccountName memberOf | stats latest(*) as * by user | eval memberOf=split(memberOf,",") | rex field=memberOf max_match=0 "CN=(?&lt;Group&gt;.+)" | fields - memberOf</LI-CODE><P>If you really want a row by row breakdown of groups, you can do the base search and then just do this</P><LI-CODE lang="markup">| chart count over Group by user | foreach * [ eval &lt;&lt;FIELD&gt;&gt;=if("&lt;&lt;FIELD&gt;&gt;"="Group", &lt;&lt;FIELD&gt;&gt;, if('&lt;&lt;FIELD&gt;&gt;'=1, "Member", "Missing")) ]</LI-CODE><P>which will tell you Membership status of each group per user</P> Wed, 11 Dec 2024 23:29:26 GMT bowesmana 2024-12-11T23:29:26Z https://community.splunk.com/t5/Splunk-Search/Difference-between-users/m-p/706548#M239087 <P>Good day,<BR /><BR />I am trying to get a dashboard up and going to easily find the difference between two users groups. I get my information pulled from AD into splunk and then if user1 has a group that user2 doesnt have then I can easily compare two users to see what is missing. Example users in the same department typically require the same access but one might have more privileges and that is what I want to see.<BR /><BR />So my search works fine, only problem is it only gives me the group difference and now I cant see who has that group in order to add it to the user that doesnt have the group.<BR /><BR />I want to add the user next to the group:<BR />example</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">group</TD><TD width="50%">user</TD></TR><TR><TD width="50%">G-Google</TD><TD width="50%">user1</TD></TR><TR><TD width="50%">G-Splunk</TD><TD width="50%">user2</TD></TR></TBODY></TABLE><LI-CODE lang="markup">| set diff [ search index=db_assets sourcetype=assets_ad_users $user1$ | dedup displayName sAMAccountName memberOf | makemv delim="," memberOf | mvexpand memberOf | rex field=memberOf "CN=(?&lt;Group&gt;[^,]+)" | where Group!="" | table Group ] [ search index=db_assets sourcetype=assets_ad_users $user2$ | dedup displayName sAMAccountName memberOf | makemv delim="," memberOf | mvexpand memberOf | rex field=memberOf "CN=(?&lt;Group&gt;[^,]+)" | where Group!="" | table Group ]</LI-CODE><P>&nbsp;</P> Wed, 11 Dec 2024 14:42:03 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-users/m-p/706548#M239087 JandrevdM 2024-12-11T14:42:03Z https://community.splunk.com/t5/Splunk-Search/Difference-between-users/m-p/706562#M239088 <P>That is the nature of the <FONT face="courier new,courier">set diff</FONT> command - it will tell there's a difference, but doesn't say what it is.&nbsp; See <A href="https://docs.splunk.com/Documentation/Splunk/9.3.2/SearchReference/Set" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.3.2/SearchReference/Set</A></P><P>An alternative would be to count the members of each group and show those with only one member.</P><LI-CODE lang="markup">| multisearch [ search index=db_assets sourcetype=assets_ad_users $user1$ | dedup displayName sAMAccountName memberOf | makemv delim="," memberOf | mvexpand memberOf | rex field=memberOf "CN=(?&lt;Group&gt;[^,]+)" | where Group!="" | eval User=$user1$ | table Group User ] [ search index=db_assets sourcetype=assets_ad_users $user2$ | dedup displayName sAMAccountName memberOf | makemv delim="," memberOf | mvexpand memberOf | rex field=memberOf "CN=(?&lt;Group&gt;[^,]+)" | eval User=$user2$ | where Group!="" | table Group User ] | stats values(User) as Users by Group | where mvcount(Users)=1</LI-CODE><P>&nbsp;</P> Wed, 11 Dec 2024 15:49:15 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-users/m-p/706562#M239088 richgalloway 2024-12-11T15:49:15Z https://community.splunk.com/t5/Splunk-Search/Difference-between-users/m-p/706597#M239105 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/270694">@JandrevdM</a>&nbsp;as your search is doing the same search twice just with a different user, you'd be better off just doing a single search and splitting by user, e.g. - similar to your existing search</P><LI-CODE lang="markup">index=db_assets sourcetype=assets_ad_users ($user1$ OR $user2$) | dedup displayName sAMAccountName memberOf | makemv delim="," memberOf | mvexpand memberOf | rex field=memberOf "CN=(?&lt;Group&gt;[^,]+)" | where Group!="" | stats values(Group) as Groups by user</LI-CODE><P>which will give you a user column and then a multivalue field with the list of groups</P><P>If you then want to automatically show the differences between the two users, you can following that with</P><LI-CODE lang="markup">| transpose 0 header_field=user | eval UniqueU1=mvmap(User1, if(User1!=User2,User1,null())) | eval UniqueU2=mvmap(User2, if(User2!=User1,User2,null())) | eval Common=mvmap(User1, if(User1=User2,User1,null()))</LI-CODE><P>and it will give you a list of groups unique to user 1, user 2 and the common groups.</P><P>However, your existing search could be more efficiently done with</P><LI-CODE lang="markup">index=db_assets sourcetype=assets_ad_users ($user1$ OR $user2$) | fields displayName sAMAccountName memberOf | stats latest(*) as * by user | eval memberOf=split(memberOf,",") | rex field=memberOf max_match=0 "CN=(?&lt;Group&gt;.+)" | fields - memberOf</LI-CODE><P>If you really want a row by row breakdown of groups, you can do the base search and then just do this</P><LI-CODE lang="markup">| chart count over Group by user | foreach * [ eval &lt;&lt;FIELD&gt;&gt;=if("&lt;&lt;FIELD&gt;&gt;"="Group", &lt;&lt;FIELD&gt;&gt;, if('&lt;&lt;FIELD&gt;&gt;'=1, "Member", "Missing")) ]</LI-CODE><P>which will tell you Membership status of each group per user</P> Wed, 11 Dec 2024 23:29:26 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-users/m-p/706597#M239105 bowesmana 2024-12-11T23:29:26Z