Getting Data In

Using 'set diff' to compare searches, but outputting multiple columns

sepkarimpour
Path Finder

I created a search that'll display the difference between two searches using 'set diff' - I initially set it to compare on one column (hosts), so if there's a difference between the two, it'll show up and create an alert based off this. However, I'd want to show both the hostname and the sourcetype if possible in the final search

I initially tried to set it to show both host and sourcetype as part of the searches for the set diff, it displays all the hosts as the two searches use separate sourcetypes. I also tried setting it to display the final table to show the host and sourcetype, but I get an error from set diff.

Is there a way to do this using 'set diff' or is there a different method, such as using a 'multisearch' to compare?

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Nope, set diff just isn't that useful, not allowing you to compare on anything and keep other data to output where the data came from. You'll have to use join or another strategy.

Here's one useful strategy ...

 your search that gets 1 OR your search that gets 2
| fields host sourcetype
| eval host=upper(host)
| stats values(sourcetype) as sourcetype by host
| where mvcount(sourcetype)<2

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Nope, set diff just isn't that useful, not allowing you to compare on anything and keep other data to output where the data came from. You'll have to use join or another strategy.

Here's one useful strategy ...

 your search that gets 1 OR your search that gets 2
| fields host sourcetype
| eval host=upper(host)
| stats values(sourcetype) as sourcetype by host
| where mvcount(sourcetype)<2

sepkarimpour
Path Finder

Thank you for your answer. It's working as I'd want it to now, but I had couple of further questions:

  1. If I only wanted the alert to go off for a certain sourcetype, could I add another WHERE along the lines of "| where sourcetype = XXX", at the end of the search?

  2. Is there a way of doing this with using 'hostname' rather than 'host'? This is more out of preference since most of my searches are based on the former, but as the output is virtually the same, this isn't a priority.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust
  1. Yes.
  2. Sure, just change the variable name in all places.

    your search that gets 1 OR your search that gets 2
    | fields hostname sourcetype
    | eval hostname=upper(hostname)
    | stats values(sourcetype) as sourcetype by hostname
    | where mvcount(sourcetype)<2 AND sourcetype="whatever"

0 Karma

niketn
Legend

@sepkarimpour, can you add your search query in the question?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Richfez
SplunkTrust
SplunkTrust

Let me throw this out there - having not used set diff at all, my first thought is to build a new field with something like ... | eval host_and_sourcetype = host . "--" . sourcetype and use that as your set/set diff.

Not quite a full answer, but if this works and is all you need, we can wordsmith it up and I can convert it to an Answer easily enough.

0 Karma

cmerriman
Super Champion

I agree with @rich7177 . |set will only bring back the one column so you'll want to |eval the information in your subsearches. remember, however, that there are limits with set.
http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Set

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...