topic Re: How to compare two searches and count multiple fields and values? in Splunk Search

How to compare two searches and count multiple fields and values?

glenngermiathen — Fri, 08 Dec 2017 16:00:06 GMT

I have combined data from two searches and want to compare them to identify what is new in the second search, what is removed from the first, and what is persistent across both searches. My data looks like:
asset event search
1 a 1st
1 a 2nd
1 b 1st
1 c 2nd
I want the results to look like
asset event status
1 a persistent
1 b removed
1 c new

How would I go about doing this? Im thinking a combination of eval with nested if statements, but really not sure if this is the best approach or how to execute.

Re: How to compare two searches and count multiple fields and values?

jplumsdaine22 — Fri, 08 Dec 2017 16:03:49 GMT

Can you post your searches?

Re: How to compare two searches and count multiple fields and values?

somesoni2 — Fri, 08 Dec 2017 16:18:12 GMT

Try like this(fixed typo on mvcount)

your current search with results from both searches
| table asset event search
| stats values(search) as search by asset event
| eval status=case(mvcount(search)=2,"persistent",search="1st","removed",true(),"new")
| table asset event status

Re: How to compare two searches and count multiple fields and values?

elliotproebstel — Fri, 08 Dec 2017 16:22:34 GMT

My high-level approach to this would be:

first search 
| eval from_first=1
| append [ second search  | eval from_second=1 ]
| stats values(from_first) AS from_first, values(from_second) AS from_second BY asset event
| eval status=case(from_first=1 AND from_second=1, "persistent", 
  from_first=1 AND isnull(from_second), "removed", 
  isnull(from_first) AND from_second=1, "new")
| fields - from_first from_second

There may well be a more efficient way to do it if we analyze your specific search queries.

Re: How to compare two searches and count multiple fields and values?

glenngermiathen — Fri, 08 Dec 2017 17:19:44 GMT

Works great, thanks! Just a typo on mvcount

Re: How to compare two searches and count multiple fields and values?

somesoni2 — Fri, 08 Dec 2017 17:21:59 GMT

Oops. Fixed.

Re: How to compare two searches and count multiple fields and values?

DalJeanis — Fri, 08 Dec 2017 19:00:18 GMT

@elliotproebstel - That would work... and I'll give you some general comments about improving efficiency, since you brought it up. 😉

In general, you never want to have two searches when one will do. So this pseudocode...

  first search 
 | eval from_first=1
 | append [ second search  | eval from_second=1 ]

...should be replaced whenever possible by this pseudocode...

  (first search) OR (second search) 
 | eval from_first=case( this is from the first search, 1)
 | eval from_second=case( this is from the second search, 1)

To make searches as efficient as possible, one should always get in the habit of getting rid of all unneeded fields. There aren't any in the example data, but just for good practice, there should be a fields command there.

There is only going to be a single value or none, so values() and max() are equivalent. I tend to use max() in that case, because it implicitly guarantees there will not be multiple values, and you don't ever have to look higher in the code to confirm.

  (first search) OR (second search) 
 | fields asset event ... plus whatever I need to differentiate between searches
 | eval from_first=case( this is from the first search, 1)
 | eval from_second=case( this is from the second search, 1)
 | stats  max(from_first) as from_first max(from_second) as from_second by asset event

Technically, you don't have to create the from_* fields there, and since you only want to test existence or not, so you can use a count(eval()) in the stats instead of creating fields.

  (first search) OR (second search) 
 | fields asset event ... plus whatever I need to differentiate between searches
 | stats  max(eval(test that produces a 1 if first search or null otherwise))) as found_first, 
           max(eval(test that produces a 1 if second search or null otherwise)))  as found_second by asset event

Re: How to compare two searches and count multiple fields and values?

elliotproebstel — Fri, 08 Dec 2017 19:11:36 GMT

Thank you! As usual, @DalJeanis, I learn so much from your feedback. I really appreciate you taking the time to share this.

Re: How to compare two searches and count multiple fields and values?

DalJeanis — Fri, 08 Dec 2017 19:31:55 GMT

@elliotproebstel - Well, I notice you and @kamlesh_vaghela spending a lot of time helping people out, so I decided to invest some time in y'all Dalsplaining whenever I can. @woodcock and @somesoni2 and @jkat54 and many others did that for me, so I'm passing it on, and I'm sure you will too.

By the way, get on the Splunk slack channel if you aren't already. Plenty more good stuff happening there.

Re: How to compare two searches and count multiple fields and values?

elliotproebstel — Fri, 08 Dec 2017 19:41:16 GMT

Thanks. I did send in a request for the Splunk slack channel a few days ago, so hopefully I'll get approved soon!

Re: How to compare two searches and count multiple fields and values?

DalJeanis — Fri, 08 Dec 2017 19:47:34 GMT

Hmmm. Okay, @ellliotproebstel tag me sometime this weekend if it hasn't gotten done, and I'll rattle some cages. I thought that was mostly automatic.

@lfedak, any idea who needs to be pinged to allow this extremely helpful person into the slack fold?

Re: How to compare two searches and count multiple fields and values?

lfedak_splunk — Fri, 08 Dec 2017 19:50:36 GMT

"Dalsplaining" -- that is great.
@elliotproebstel, we love your participation on Answers! On it and will update if there's any roadblack to approval for Slack.

Re: How to compare two searches and count multiple fields and values?

lfedak_splunk — Fri, 08 Dec 2017 19:50:54 GMT

^^ See comment above

Re: How to compare two searches and count multiple fields and values?

elliotproebstel — Fri, 08 Dec 2017 19:53:07 GMT

Thanks, @lfedak. I appreciate it!

Re: How to compare two searches and count multiple fields and values?

jkat54 — Fri, 08 Dec 2017 23:05:22 GMT

Funny, I don’t remember helping much! Happy to know even if I had a small part in creating a splunk monster like you though @daljeanis.

Re: How to compare two searches and count multiple fields and values?

glenngermiathen — Sat, 09 Dec 2017 04:07:55 GMT

Went the route of the other answer, but this makes good sense too.