Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can I Iterate on logs and compare two logs from another source?

Lictor
New Member
‎09-30-2014 03:34 AM

Hi,

I have a report that log results for multiple IDs from 2 different SourceType. I need to find out if the report from the two sources is identical or not and find out if any of the sources have an event with id that doesn't exist in the other source.

Example:
SourceType="A"
log1: id="id1" value="Val1"
log2: id="id2" value="Val2"
log3: id="id3" value="Val3"

SourceType="B"
log1: id="id1" value="Val1"
log2: id="id2" value="Val3"
log3: id="id4" value="Val4"

I need the result to return log1 identical on two sources, log2 don't match on 2 sources, log3 only in source "A" and log4 only in source "B".

I couldn't find a way to iterate and compare in that way. Can anyone help?

0 Karma
Reply

aweitzman
Motivator
‎10-01-2014 05:57 AM

I don't understand your question. There is no "log4" in your example, so your statement log4 only in source "B" doesn't make any sense. It's not clear from your data what the relationship is between logs and ids, and what you're really comparing. Can you please restate your question?

That said, in Splunk you want to avoid thinking about things in terms of iterating if you can. @somesoni2's answer is in the direction you want to go: combine the two sources and figure out which things are the same by virtue of them being doubled up (in other words, by counting rather than comparing), and then it's just a matter of sorting out what to do with the rest of the data that doesn't match up, and adding some presentation around that.

0 Karma
Reply

somesoni2
Revered Legend
‎09-30-2014 05:07 AM

Try this

sourcetype=A OR sourcetype =B |eval temp=id."#".value |eventstats values(sourcetype) as vals| where mvcount(vals)=2
Reply

Lictor
New Member
‎10-01-2014 01:36 AM

Not exactly what I am looking for.
I need to find a way to look for all the ids in SourceType A (one by one) and then search for the found id in SourceType B and match the two log lines.
Need to do that for all IDs, where the ids are unknown (not a preset of ids).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...