Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you display events that match a condition but don't match another (full join without intersection)?

zebu14
Explorer
‎11-05-2018 06:02 AM

Hello,

I have events that are emitted by many parters to 4 different servers

My goal is to find events for each partner that are received on two servers but NEVER on the others (and vice versa).

Actually, I'm doing a search for events that match with server1 or server2. Then, I do another search for events that match with server3 or server4. And finally I export everything in a CSV and I am doing the list of partners that are only present on one of the groups

What I am trying to obtain is like an SQL "Full Join without intersection"

My actual search is like :

index="XXX" Direction=I Gateway=server1 or server2| stats count by Partner

Is it possible to obtain what I need in an only search ?

Thank you

Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-05-2018 10:09 AM

@zebu14

Can you please try below search?

| YOUR_FIRST_SEARCH | stats count by Partner | rename as Partner1
| appendcols 
[
         search | YOUR_SECOND_SEARCH | stats count by Partner | rename as Partner2
] 
| eventstats values(Partner2) as Partner2_All values(Partner1) as Partner1_All 
| eval Partner1_in=if(isnull(Partner1),"1",mvfind(Partner2_All,Partner1)), Partner2_in=if(isnull(Partner2),"1",mvfind(Partner1_All,Partner2)) 
| eval Partner1=case(isnull(Partner1_in),Partner1), Partner2=case(isnull(Partner2_in),Partner2) | table Partner1 Partner2
0 Karma
Reply

zebu14
Explorer
‎11-06-2018 12:42 AM

Hello,

Thanks for your proposal.

I obtain two columns in which some partners are common and others are not...
It doesn't seem to work.

Maybe I didn't explained my need correctly.

If i consider two columns 1 and 2 :
1: 2:
AAA AAA
BBB CCC
CCC EEE
DDD

I want the search to give me this answer
BBB
DDD
EEE

And not the events thare are present in each colomn (or independant search)

Maybe it is possible to do through the function "Join type=outer" but I can't find a suitable syntax for my search job.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...