i have two set of result which give AVC_ID and what i want is compare these two set of result and only display missing AVC_ID with respect to the each searched results.
like search result1
AVC1
AVC2
AVC3
search result 2
AVC1
AVC3
AVC4
expecting output
1. missed value in search result 1 with respect to search result 2
AVC4
2. missed value in search result 2 with respect to search result 1
AVC2
i tried below query and getting error:
search 1:
eventtype="li_specific" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time |append [search eventtype="hfc" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time ] |table AVC_ID
search 2:
eventtype="ne_config" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time |table AVC_ID
comparison query:
eventtype="li_specific" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time |append [search eventtype="hfc" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time ] NOT ([search eventtype="ne_config" |eval (AVC_ID=case(searchmatch("AVC*"),"AVC*") |dedup AVC_ID,_time |table AVC_ID |rename AVC_ID as "avc missing in ne config"])
error which i got while running comparison search:
: Error in 'append' command: The last argument must be a subsearch
could you please help me how to achieve this.
Thanks in Advance.
Mani
Try using multisearch. This isn't super fast, but it did the trick. I added an extra value to each list to play around with when there were multiple differences.
| multisearch
[ search source="result1.csv" NOT
[ search index="scratchpad" sourcetype="results" source="result2.csv"
| fields AVC_ID]
| eval OneNotTwo=AVC_ID
| fields OneNotTwo]
[ search source="result2.csv" NOT
[ search index="scratchpad" sourcetype="results" source="result1.csv"
| fields AVC_ID]
| eval TwoNotOne=AVC_ID
| fields TwoNotOne]
| stats values(OneNotTwo) as OneNotTwo values(TwoNotOne) as TwoNotOne