Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

get the list of keyword values which is present in one query and not present in second query

dsha
Engager
‎11-13-2018 12:19 PM

we have two queries . both the queries have same keyword with value.so we would like to list the values of the keyword which are present in first query and the same keyword value's not present in the second query

query 1:
index=storeapp "Received the content for checking further"
query 2:
index=storeapp "Successfully completed the check and returned back the result

both the query events have common keyword with value as ASSETID=12345 .so here we would like to get the list of values which are present in one query and the same value not present in second query.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-14-2018 06:55 PM

Without a sample, this is a bit harder. But try in general combining the two into one thing, grouping on ASSETID with a count, then just selecting those with a count of 1. The idea would be that if it had both items, count would be two, if it had only one, it would have one.

I'm going to assume there's a field called, let's say "message" that is the contents of those strings, so a message of "Received the content for checking further" and one message of "Successfully completed the check and returned back the result". If this is not the case, you should create those extractions. Or you could built a tag for them. Or event type. Whatever, something like that.

So, perhaps, again assuming the field message as described above:

search index=storeapp (message="Received the content for checking further" OR message="Successfully completed the check and returned back the result")
| stats count, list(message) BY ASSETID
| search count>1

This may or may not work as is - probably not, but again we don't have sample events to really work with here. You give us pseudo-events, we give you pseudo-answers. 🙂

Anyway, I do hope that helps! Do write back with more detail if this isn't what you need, or if it's half of it but not quite perfect yet.

Happy Splunking,
Rich

0 Karma
Reply

bandit
Motivator
‎11-13-2018 07:23 PM

Would be helpful to have some sample records.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...