https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269843#M81211 <P>I guess you should be using appendcols here. Append will create those fields in totally different events/rows and your eval will fail.</P> Thu, 04 Feb 2016 22:31:50 GMT somesoni2 2016-02-04T22:31:50Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269840#M81208 <P>Hi,</P> <P>I need to run a compare against the count of two different searches - how would I do that? I'm counting the number of unique sources from two different indexes, and they need to be the same. </P> Thu, 04 Feb 2016 21:39:25 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269840#M81208 a212830 2016-02-04T21:39:25Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269841#M81209 <PRE><CODE> index=index1 | dedup source | stats dc(source) AS idx1ct | appendcols [search index=index2 | dedup source | stats dc(source) AS idx2ct ] | eval nodiff=if(match(idxct1,idxct2),"True","False") | table nodiff </CODE></PRE> Thu, 04 Feb 2016 22:11:36 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269841#M81209 jkat54 2016-02-04T22:11:36Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269842#M81210 <P>It depends upon what type of searches and what columns are available on those two searches. Could you provide some more information on the output of the those two searches? Based on that it could be appendcols OR join OR may be simple stats can do the job.</P> Thu, 04 Feb 2016 22:17:17 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269842#M81210 somesoni2 2016-02-04T22:17:17Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269843#M81211 <P>I guess you should be using appendcols here. Append will create those fields in totally different events/rows and your eval will fail.</P> Thu, 04 Feb 2016 22:31:50 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269843#M81211 somesoni2 2016-02-04T22:31:50Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269844#M81212 <P>A simple stats command should do the trick</P> <PRE><CODE>index=index1 OR index=index2 | stats dc(source) by index </CODE></PRE> <P>Have a read <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Stats">http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Stats</A></P> <P>If theres one command you learn, make it stats!</P> Thu, 04 Feb 2016 22:41:48 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269844#M81212 jplumsdaine22 2016-02-04T22:41:48Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269845#M81213 <P>changed to appendcols, thanks. So a little more explanation now that I'm not on my phone. The search creates a field called nodiff that is true if there isnt a difference in the count of sources between indexes, or false if there is a difference. The dedups speed up the stats distinct count functions but are not required. Remove the final table to see the rest of the fields.</P> Fri, 05 Feb 2016 07:46:24 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269845#M81213 jkat54 2016-02-05T07:46:24Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269846#M81214 <P>Hi <BR /> Use this search code and look at the difference in the results</P> <PRE><CODE> index=_internal | stats dc(source) AS C1| appendcols [search index=_audit| stats dc(source) AS C2 ] |table C1 C2 </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1034i6D8FB7D8EA205A42/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Fri, 05 Feb 2016 11:24:30 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269846#M81214 chimell 2016-02-05T11:24:30Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269847#M81215 <P>Thanks!!!!</P> Sun, 10 Apr 2016 01:38:31 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269847#M81215 a212830 2016-04-10T01:38:31Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269848#M81216 <P>Hi a212830,</P> <P>Read <A href="https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html">https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html</A> and watch the March 2016 virtual.conf talk from <A href="http://wiki.splunk.com/Virtual_.conf">http://wiki.splunk.com/Virtual_.conf</A> for more info how this can be done.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Sun, 10 Apr 2016 06:35:25 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269848#M81216 MuS 2016-04-10T06:35:25Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269849#M81217 <P>If this answered your question can you mark it as the answer please?</P> <P>Also see MuS's answer below. Apparently it is more efficient than appendcols. If you find that the search is faster or more reliable using his technique, then please mark his as the answer.</P> Sun, 10 Apr 2016 12:06:43 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269849#M81217 jkat54 2016-04-10T12:06:43Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269850#M81218 <P>I like the elegance of using OR and I will have to revisit some old searches. </P> <P>Would this work for the op's scenario where they want a distinct count of events in two different indexes?</P> Mon, 11 Apr 2016 00:04:24 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269850#M81218 jkat54 2016-04-11T00:04:24Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269851#M81219 <P>of course:</P> <PRE><CODE>index=_internal OR index=_audit | eval internal_count=if(index="_internal", 1, null()) | eval audit_count=if(index="_audit", 1, null()) | stats sum(internal_count) AS internal sum(audit_count) AS audit | eval diff=internal-audit </CODE></PRE> Mon, 11 Apr 2016 00:11:22 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269851#M81219 MuS 2016-04-11T00:11:22Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269852#M81220 <P>That's so awesome! TYVM!!!</P> Mon, 11 Apr 2016 00:58:26 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269852#M81220 jkat54 2016-04-11T00:58:26Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269853#M81221 <P>How would you do that for comparing the count of two sourcetypes in one index?</P> Mon, 11 Apr 2016 16:39:44 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269853#M81221 wrangler2x 2016-04-11T16:39:44Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269854#M81222 <P>Ah, got that figured out. And using your technique you can do it across two as well. Cool!</P> Mon, 11 Apr 2016 17:44:03 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches/m-p/269854#M81222 wrangler2x 2016-04-11T17:44:03Z