Archive
Highlighted

How to show threat names in field1 and not in field2?

New Member

I have 2 different fields that both contain threat names.
I want to show which of the threat name are in field1 and not in field2. how do I show that?

0 Karma
Highlighted

Re: How to show threat names in field1 and not in field2?

Ultra Champion

Are the two fields in the same event, or different events?

0 Karma
Highlighted

Re: How to show threat names in field1 and not in field2?

New Member

they are in the same index

0 Karma
Highlighted

Re: How to show threat names in field1 and not in field2?

Ultra Champion

But does 1 event contain both fields?

0 Karma
Highlighted

Re: How to show threat names in field1 and not in field2?

New Member

can you clarify?

0 Karma
Highlighted

Re: How to show threat names in field1 and not in field2?

Ultra Champion

Can you share your search and some example events. Remember to remove anything sensitive.

0 Karma
Highlighted

Re: How to show threat names in field1 and not in field2?

New Member

i share example evens
variant1 = ["tempedreve","suppobox","necurs","ramnit","tofsee","simda","tinba"]
variant2 = ["necurs","pykspa","suppobox","simda"]
already i have ability to extract each variant name into a different field that in each row contain one variant name instead of array

i want to show only the variant name that are in variant1 and not in variant2

0 Karma
Highlighted

Re: How to show threat names in field1 and not in field2?

SplunkTrust
SplunkTrust

Is variant1 and variant2 appean in the same event (all events have both the fields available)? Are the extracted variant1 and variant2 a multiple valued field?

Highlighted

Re: How to show threat names in field1 and not in field2?

Esteemed Legend

You are a patient man.

0 Karma
Highlighted

Re: How to show threat names in field1 and not in field2?

New Member

yes both fields appear in the same event
the extracted fields are not multiple value both contain a single value

0 Karma