Archive
Highlighted

Display only differences in values, between 2 events

Explorer

Hello,
I'm looking events that track changes to a configuration. The first event is the "before" state the newest event is the "after" state. There events are in json format and there are > 80 fields. I have a search that will display all of the values for each field present, but it's not practical to display a table with 80 columns and expect the user to locate the columns with multiple values.

Here are 2 very sanitized events.

After Mod Event --
{
"EventTime" : "02/23/2017-09:07:47",
"EventName" : "ChangeObject",
"EventType" : "Configuration",
"MQLONG MsgSeqNumber" : "2(0x00000002)",
"MQCAALTERATIONDATE" : "2017-02-23",
"MQCAALTERATIONTIME" : "09.07.47",
}

Before Mod Event --
{
"EventTime" : "02/23/2017-09:07:47",
"EventName" : "ChangeObject",
"EventType" : "Configuration",
"MQLONG MsgSeqNumber" : "1(0x00000001)",
"MQCAALTERATIONDATE" : "2017-02-23",
"MQCAALTERATIONTIME" : "09.01.47",
}

This stats command gives me the values for each field.
... | stats values(*) AS *

All I want to see are the fields that are different, in this case the "MQLONG MsgSeqNumber" and "MQCAALTERATIONTIME". Amny of the fields are all text. Again, there can be over 80 continually changing fields, so I can't write anything that lists specific fields. This seems like something that should be fairly common, but I can't find any threads that answer my specific need.

Hoping someone can share what they've done or tackle this challenge 🙂

Tags (1)
0 Karma
Highlighted

Re: Display only differences in values, between 2 events

Explorer

I missed an , should be "| stats values() AS *"

0 Karma
Highlighted

Re: Display only differences in values, between 2 events

Esteemed Legend

Like this:

... | stats values(*) AS * count(*) AS count* dc(*) AS dc* | foreach count* [eval '<<MATCHSTR>>'=if(($<<FIELD>>$=$dc<<MATCHSTR>>$), null(), $<<MATCHSTR>>$)] | fields - count* dc* | table *
Highlighted

Re: Display only differences in values, between 2 events

Explorer

Thank you. I saw that answer in another thread, but it doesn't work for me. I get this error. I don't even have that field.. stumped..
Failed to parse templatized search for field 'counttag::eventtype'

0 Karma
Highlighted

Re: Display only differences in values, between 2 events

Esteemed Legend

Try my updated answer to account for the colons in your field names. It will work on the search bar but not in a dashboard panel without extra modification.

0 Karma
Highlighted

Re: Display only differences in values, between 2 events

Explorer

Thank you, I will try it, but I don't see any colons in my field names, just the separator.

0 Karma
Highlighted

Re: Display only differences in values, between 2 events

Esteemed Legend

It is right there in the error: a field named tag::eventtype.

0 Karma
Highlighted

Re: Display only differences in values, between 2 events

Explorer

Thank you for your patience. I ran the search and it returns all fields, not only those that are different. This is what I saw when I tried this solution from another thread.

source="splunkanswers.txt" index=testing | stats values() AS * count() AS count* dc() AS dc | foreach count* [eval '<>'=if(($<>$=$dc<>$), null(), $<>$)] | fields - count* dc* | table *

Here is partial result exported to csv. Several of the fields shown only have 1 value.
EventName EventTime MQCAALTERATIONDATE MQCAALTERATIONTIME MQLONG MsgSeqNumber datehour datemday
ChangeObject 02/23/2017-09:07:47 42789 09.01.47 09.07.47 1(0x00000001) 2(0x00000002) 9 23

0 Karma
Highlighted

Re: Display only differences in values, between 2 events

Esteemed Legend

Give the other answer a try.

0 Karma
Highlighted

Re: Display only differences in values, between 2 events

SplunkTrust
SplunkTrust

Give this a try. Assuming you've only two events so, if the value is same for a field, values(field) will give a single value (mvcount will be 1).

your base search | stats values(*) as *  | eval temp=1 
| untable temp fieldname fieldvalue | where mvcount(fieldvalue)!=1
| xyseries temp fieldname fieldvalue | fields - temp

View solution in original post