https://community.splunk.com/t5/Splunk-Search/How-to-compare-table-columns-from-2-different-searches/m-p/271350#M81676 <P>In a hurry I responded this as Answer earlier so I ask moderator to ignore it if possible.</P> <P>Back to the question. Somesoni2 your answer got me some results and I thank you on that but still it's not quite what I need.</P> <P>New search looks like this:</P> <PRE><CODE>[search index="A" source="/var/log/splunkusers" host="XYZ" user="*"] OR [search index="B" source="/var/log/secure" host="XYZ" user="*" | dedup user] | table user host _time source </CODE></PRE> <P>and as a result I get:</P> <PRE><CODE>userA XYZ 2015-09-16 16:11:16 /var/log/secure userB XYZ 2015-09-23 15:24:38 /var/log/secure userC XYZ 2015-10-12 14:00:54 /var/log/secure userA XYZ 2015-10-14 07:42:29 /var/log/splunkusers userB XYZ 2015-10-14 07:42:29 /var/log/splunkusers userC XYZ 2015-10-14 07:42:29 /var/log/splunkusers userD XYZ 2015-10-14 07:42:29 /var/log/splunkusers userF XYZ 2015-10-14 07:42:29 /var/log/splunkusers </CODE></PRE> <P>and result what I need is:</P> <PRE><CODE> userD XYZ 2015-10-14 07:42:29 /var/log/splunkusers userF XYZ 2015-10-14 07:42:29 /var/log/splunkusers </CODE></PRE> <P>So basically I need only users from source /var/log/splunkusers that are not in /var/log/secure</P> <P>you suggested use of:</P> <PRE><CODE>| eventstats values(source) as source </CODE></PRE> <P>but it just groups me sources and there is no row with only one source so that I could use:</P> <PRE><CODE>...| where mvcount(source) =1 </CODE></PRE> <P>as you suggested. I get what you wanted to achieve and it would be ok. Can you please check my new search and example of results I get and results I need? It might give you better idea for possible solution.</P> Wed, 14 Oct 2015 10:53:40 GMT mkranjec 2015-10-14T10:53:40Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-table-columns-from-2-different-searches/m-p/271348#M81674 <P>So I have two similar searches that use two different indexes. The output of both searches are tables and what I want is to compare 1st column from table 1 (result of Search 1) and 1st column from table 2 (result of Search 2). </P> <P>Result should be diff of those two columns. <STRONG>Both columns contain a list of users and what I need are all users from column 1 (table1) that are not contained in column 2 (table2).</STRONG> Both columns in both tables are named "user" and both contain same usernames but 1st table has all usernames and 2nd table have just few usernames.</P> <P><STRONG>Search 1:</STRONG></P> <PRE><CODE>index="A" host="XYZ" source="ASDF" user="*" | table user host _time </CODE></PRE> <P><STRONG>Search 2:</STRONG></P> <PRE><CODE>index="B" host="XYZ" source="FDSA" user="*" | table user host _time </CODE></PRE> <P>I thought that It can be solved with:</P> <PRE><CODE>| set diff [Search1][Search2] </CODE></PRE> <P>but for some reason it doesn't give me result that I need. </P> <P>I would appreciate any help with this problem.</P> Tue, 13 Oct 2015 16:39:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-table-columns-from-2-different-searches/m-p/271348#M81674 mkranjec 2015-10-13T16:39:08Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-table-columns-from-2-different-searches/m-p/271349#M81675 <P>Try something like this</P> <PRE><CODE> ( index="A" source="ASDF") OR (index="B" source="FDSA") host="XYZ" source="ASDF" user="*" | table user host _time source | eventstats values(source) as source </CODE></PRE> <P>Now to get the users which are not present in both the index/source, add this to above search</P> <PRE><CODE>...| where mvcount(source) =1 </CODE></PRE> <P>For users only in index A, </P> <PRE><CODE>..| where mvcount(source)=1 AND source="ASDF" </CODE></PRE> Tue, 13 Oct 2015 18:21:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-table-columns-from-2-different-searches/m-p/271349#M81675 somesoni2 2015-10-13T18:21:54Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-table-columns-from-2-different-searches/m-p/271350#M81676 <P>In a hurry I responded this as Answer earlier so I ask moderator to ignore it if possible.</P> <P>Back to the question. Somesoni2 your answer got me some results and I thank you on that but still it's not quite what I need.</P> <P>New search looks like this:</P> <PRE><CODE>[search index="A" source="/var/log/splunkusers" host="XYZ" user="*"] OR [search index="B" source="/var/log/secure" host="XYZ" user="*" | dedup user] | table user host _time source </CODE></PRE> <P>and as a result I get:</P> <PRE><CODE>userA XYZ 2015-09-16 16:11:16 /var/log/secure userB XYZ 2015-09-23 15:24:38 /var/log/secure userC XYZ 2015-10-12 14:00:54 /var/log/secure userA XYZ 2015-10-14 07:42:29 /var/log/splunkusers userB XYZ 2015-10-14 07:42:29 /var/log/splunkusers userC XYZ 2015-10-14 07:42:29 /var/log/splunkusers userD XYZ 2015-10-14 07:42:29 /var/log/splunkusers userF XYZ 2015-10-14 07:42:29 /var/log/splunkusers </CODE></PRE> <P>and result what I need is:</P> <PRE><CODE> userD XYZ 2015-10-14 07:42:29 /var/log/splunkusers userF XYZ 2015-10-14 07:42:29 /var/log/splunkusers </CODE></PRE> <P>So basically I need only users from source /var/log/splunkusers that are not in /var/log/secure</P> <P>you suggested use of:</P> <PRE><CODE>| eventstats values(source) as source </CODE></PRE> <P>but it just groups me sources and there is no row with only one source so that I could use:</P> <PRE><CODE>...| where mvcount(source) =1 </CODE></PRE> <P>as you suggested. I get what you wanted to achieve and it would be ok. Can you please check my new search and example of results I get and results I need? It might give you better idea for possible solution.</P> Wed, 14 Oct 2015 10:53:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-table-columns-from-2-different-searches/m-p/271350#M81676 mkranjec 2015-10-14T10:53:40Z