Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare json file and find the difference in log file?

karthi2809
Builder
‎05-31-2022 09:41 AM

How to compare difference in the json file. If there is no difference we are good. But in my case i need to find compare N_aaa and A_aaa and find out the difference 

N_aaa

A_aaa

{
"AAA": {
"modified_files": [

"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\N_aaa/aaa/pack-672b2efd6aada12ecfc8d1745f805706f43902f4.idx",
"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\N_aaa/aaa/pack-672b2efd6aada12ecfc8d1745f805706f43902f4.pack",
"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\A_aaa/aaa/objects/pack/pack-8a069e643d668a0715f82a237b44f1554535719f.idx",
"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\A_aaa/aaa/objects/pack/pack-8a069e643d668a0715f82a237b44f1554535719f.pack"
]
}
}

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-31-2022 10:46 AM

What is the expected output?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

karthi2809
Builder
‎06-23-2022 12:52 AM

 

{
  "CODE": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\BBB_CODE/.git/index", 
	  "a/D:\\\\splunk_code_replication\\\\BBB_CODE/.git/config",
	  "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/logs/refs/heads/master",
	  "a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/version.json"
	  ]
	  }
	}
	{
  "TOOlKIT": {
    "modified_files": [
      "a/D:\\\\splunk_code_replication\\\\AAA_TOOLKIT/.git/HEAD", 
      "a/D:\\\\splunk_code_replication\\\\AAA_TOOLKIT/.git/config", 
      "a/D:\\\\splunk_code_replication\\\\BBB_TOOLKIT/.git/index", 
	  "a/D:\\\\splunk_code_replication\\\\BBB_TOOLKIT/.git/config",
	  "a/D:\\\\splunk_code_replication\\\\AAA_TOOLKIT/.git/logs/refs/heads/master", 
	  ]
	}
}

 

@richgalloway Above events is in splunk .We have two repos in git 1. AAA 2.BBB.When ever the repos will replicate and both repos should be same file. But in my case after replicate both repos files are missing so i should compare the files and whare are the files is missing and send an alert as difference in repos.

INTERESTING FIELDS:

CODE.Modified_files{}

TOOLKIT.Modified_files{}

 

Expected output after comparing:

CODE.Modified_files{}

"a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/logs/refs/heads/master",
"a/D:\\\\splunk_code_replication\\\\AAA_CODE/.git/version.json"

These files are only present in AAA repo but not in BBB. So we need compare both AAA and BBB missing files. As per the event and show the difference.

 

Tags (2)
0 Karma
Reply

karthi2809
Builder
‎05-31-2022 04:31 PM

We comparing two git repos files(N_aaa,A_aaa). Both N_aaa and A_aaa file should be common. In case of any difference in the file should say as difference in the file

"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\N_aaa/aaa/pack-672b2efd6aada12ecfc8d1745f805706f43902f4.idx",

"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\A_aaa/aaa/objects/pack/pack-8a069e643d668a0715f82a237b44f1554535719f.idx",


"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\N_aaa/aaa/pack-672b2efd6aada12ecfc8d1745f805706f43902f4.pack",

"a/D:\\\\splunk\\\\Repos\\\\Wed\\\\A_aaa/aaa/objects/pack/pack-8a069e643d668a0715f82a237b44f1554535719f.pack"

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2022 05:12 AM

To me, the desired output looks like a stripped-down version of the input.  You can do that using spath and mvexpand.

| spath | mvexpand "AAA.modified_files{}"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 09:49 PM

Is Splunk the right tool for this? Perhaps you should be using something else to do the file comparison? You could then feed the logs from the output of the comparison to Splunk for it to monitor and report on?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top