Compare records from two different indexes by matc...

rachel88 · ‎08-14-2019

Hello community,

i have two databases a and b. There are data fields which I would like to compare with each other. What does such a query look like?
Each field must be compared with each field of the database b during adjustment. Important the match must not exactli by field in index b.

Match result positiv:

Index A:
field_scan="test/local/qwerty/6789"

Index B:
field_static="qwerty/6789"

Who can help me?

Im a beginner into the splunk world...

Thank you

richgalloway · ‎08-14-2019

Typically, that is done like this

index=A OR index=B | stats values(*) as * by field

but that requires and exact match of 'field' in each index. So what you'll need to do is massage field into something Splunk can compare.

index=A OR index=B | eval newfield=<something that normalizes field> | stats values(*) as * by newfield

or use rex to normalize the field

index=A OR index=B | rex field=field "(?<newfield>something)" | stats values(*) as * by newfield

I'll leave the "something" up to you since only you know how to compare the data in each index.

---
If this reply helps you, Karma would be appreciated.

Compare records from two different indexes by match

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor