Getting Data In

How to compare json file and find the difference in log file?

karthi2809
Contributor

How to compare difference in the json file. If there is no difference we are good. But in my case i need to find compare N_aaa and A_aaa and find out the difference 

N_aaa

A_aaa

{
"AAA": {
"modified_files": [

"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\N_aaa/aaa/pack-672b2efd6aada12ecfc8d1745f805706f43902f4.idx",
"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\N_aaa/aaa/pack-672b2efd6aada12ecfc8d1745f805706f43902f4.pack",
"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\A_aaa/aaa/objects/pack/pack-8a069e643d668a0715f82a237b44f1554535719f.idx",
"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\A_aaa/aaa/objects/pack/pack-8a069e643d668a0715f82a237b44f1554535719f.pack"
]
}
}

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is the expected output?

---
If this reply helps you, Karma would be appreciated.
0 Karma

karthi2809
Contributor

 

{
  "CODE": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\BBB_CODE/.git/index", 
	  "a/D:\\\\splunk_code_replication\\\\BBB_CODE/.git/config",
	  "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/logs/refs/heads/master",
	  "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/version.json"
	  ]
	  }
	}
	{
  "TOOlKIT": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\AAA_TOOLKIT/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\AAA_TOOLKIT/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\BBB_TOOLKIT/.git/index", 
	  "a/D:\\\\splunk_code_replication\\\\BBB_TOOLKIT/.git/config",
	  "a/D:\\\\splunk_code_replication\\\\AAA_TOOLKIT/.git/logs/refs/heads/master", 
	  ]
	}
}

 

@richgalloway Above events is in splunk .We have two repos in git 1. AAA 2.BBB.When ever the repos will replicate and both repos should be same file. But in my case after replicate both repos files are missing so i should compare the files and whare are the files is missing and send an alert as difference in repos.

INTERESTING FIELDS:

CODE.Modified_files{}

TOOLKIT.Modified_files{}

 

Expected output after comparing:

CODE.Modified_files{}

"a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/logs/refs/heads/master",
"a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/version.json"

These files are only present in AAA repo but not in BBB. So we need compare both AAA and BBB missing files. As per the event and show the difference.

 

Tags (2)
0 Karma

karthi2809
Contributor

We comparing two git repos files(N_aaa,A_aaa). Both N_aaa and A_aaa file should be common. In case of any difference in the file should say as difference in the file

"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\N_aaa/aaa/pack-672b2efd6aada12ecfc8d1745f805706f43902f4.idx",

"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\A_aaa/aaa/objects/pack/pack-8a069e643d668a0715f82a237b44f1554535719f.idx",


"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\N_aaa/aaa/pack-672b2efd6aada12ecfc8d1745f805706f43902f4.pack",

"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\A_aaa/aaa/objects/pack/pack-8a069e643d668a0715f82a237b44f1554535719f.pack"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To me, the desired output looks like a stripped-down version of the input.  You can do that using spath and mvexpand.

| spath | mvexpand "AAA.modified_files{}"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is Splunk the right tool for this? Perhaps you should be using something else to do the file comparison? You could then feed the logs from the output of the comparison to Splunk for it to monitor and report on?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...