Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you display events that match a condition but don't match another (full join without intersection)?

zebu14
Explorer
‎11-05-2018 06:02 AM

Hello,

I have events that are emitted by many parters to 4 different servers

My goal is to find events for each partner that are received on two servers but NEVER on the others (and vice versa).

Actually, I'm doing a search for events that match with server1 or server2. Then, I do another search for events that match with server3 or server4. And finally I export everything in a CSV and I am doing the list of partners that are only present on one of the groups

What I am trying to obtain is like an SQL "Full Join without intersection"

My actual search is like :

index="XXX" Direction=I Gateway=server1 or server2| stats count by Partner

Is it possible to obtain what I need in an only search ?

Thank you

Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-05-2018 10:09 AM

@zebu14

Can you please try below search?

| YOUR_FIRST_SEARCH | stats count by Partner | rename as Partner1
| appendcols 
[
         search | YOUR_SECOND_SEARCH | stats count by Partner | rename as Partner2
] 
| eventstats values(Partner2) as Partner2_All values(Partner1) as Partner1_All 
| eval Partner1_in=if(isnull(Partner1),"1",mvfind(Partner2_All,Partner1)), Partner2_in=if(isnull(Partner2),"1",mvfind(Partner1_All,Partner2)) 
| eval Partner1=case(isnull(Partner1_in),Partner1), Partner2=case(isnull(Partner2_in),Partner2) | table Partner1 Partner2
0 Karma
Reply

zebu14
Explorer
‎11-06-2018 12:42 AM

Hello,

Thanks for your proposal.

I obtain two columns in which some partners are common and others are not...
It doesn't seem to work.

Maybe I didn't explained my need correctly.

If i consider two columns 1 and 2 :
1: 2:
AAA AAA
BBB CCC
CCC EEE
DDD

I want the search to give me this answer
BBB
DDD
EEE

And not the events thare are present in each colomn (or independant search)

Maybe it is possible to do through the function "Join type=outer" but I can't find a suitable syntax for my search job.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...