https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321463#M96039 <P>Do this:</P> <PRE><CODE>index=example sourcetype=example host=host1 OR host=host2 | stats values(host) AS hosts BY FIELD | where mvcount(hosts)=1 </CODE></PRE> Thu, 20 Jul 2017 16:12:39 GMT woodcock 2017-07-20T16:12:39Z https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321462#M96038 <P>My set diff query compares the values of one field from two different hosts and outputs a list of the field values that are unique to one host or the other. However, I can't seem to find a way to also display the host name alongside the output. I am trying to get a list of values that are unique to one host and know which host they have come from.</P> <P>The query follows this format: </P> <P>| set diff [index=example sourcetype=example host=host1 | table FIELD] [index=example sourcetype=example host=host2 | table FIELD] </P> <P>It will then output a list of values for that field that are unique to one host or the other, but I have no way of knowing which host they are unique to. If I include host in the table part of the subsearches it will return all entries, since the host is different in all cases. </P> <P>I'm looking for something like this </P> <P>Field host<BR /> 1234 host1<BR /> 5678 host2<BR /> 9101 host1<BR /> 2345 host1</P> <P>Any suggestions?</P> <P>Thanks!</P> Thu, 20 Jul 2017 16:04:58 GMT https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321462#M96038 leonienicks 2017-07-20T16:04:58Z https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321463#M96039 <P>Do this:</P> <PRE><CODE>index=example sourcetype=example host=host1 OR host=host2 | stats values(host) AS hosts BY FIELD | where mvcount(hosts)=1 </CODE></PRE> Thu, 20 Jul 2017 16:12:39 GMT https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321463#M96039 woodcock 2017-07-20T16:12:39Z https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321464#M96040 <P>Thanks so much - this is great! The only thing is that it won't display any duplicate extra results to one host so for example, if host1 has event A once and host2 has event A twice, since it's the same value it won't show in this. Perhaps there is a separate query that would fetch this?</P> Thu, 20 Jul 2017 16:40:24 GMT https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321464#M96040 leonienicks 2017-07-20T16:40:24Z https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321465#M96041 <P>OK, try this:</P> <PRE><CODE>index=example sourcetype=example host=host1 OR host=host2 | stats count BY host FIELD | eventstats dc(host) AS hosts BY FIELD | where Your Logic Here </CODE></PRE> Thu, 20 Jul 2017 21:33:14 GMT https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321465#M96041 woodcock 2017-07-20T21:33:14Z https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321466#M96042 <P>Thanks! This inspired me to do something else I was working on, which was that for the same unique ID field, fetching the results that had differences elsewhere in the events: <BR /> index=example sourcetype=example host=host1 OR host=host2<BR /> | eventstats dc(host) AS uniqueID BY FIELD<BR /> | where uniqueID = 2<BR /> | eval raw=toString(FIELD)+"|"+toString(FIELD2)+"|"+toString(FIELD3)<BR /> | stats values(host) AS hosts BY raw<BR /> | where mvcount(hosts) = 1</P> Wed, 26 Jul 2017 14:57:27 GMT https://community.splunk.com/t5/Splunk-Search/Adding-host-field-to-a-set-diff-command/m-p/321466#M96042 leonienicks 2017-07-26T14:57:27Z