Getting Data In

Using 'set diff' to compare searches, but outputting multiple columns

Path Finder

I created a search that'll display the difference between two searches using 'set diff' - I initially set it to compare on one column (hosts), so if there's a difference between the two, it'll show up and create an alert based off this. However, I'd want to show both the hostname and the sourcetype if possible in the final search

I initially tried to set it to show both host and sourcetype as part of the searches for the set diff, it displays all the hosts as the two searches use separate sourcetypes. I also tried setting it to display the final table to show the host and sourcetype, but I get an error from set diff.

Is there a way to do this using 'set diff' or is there a different method, such as using a 'multisearch' to compare?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Nope, set diff just isn't that useful, not allowing you to compare on anything and keep other data to output where the data came from. You'll have to use join or another strategy.

Here's one useful strategy ...

 your search that gets 1 OR your search that gets 2
| fields host sourcetype
| eval host=upper(host)
| stats values(sourcetype) as sourcetype by host
| where mvcount(sourcetype)<2

View solution in original post

SplunkTrust
SplunkTrust

Nope, set diff just isn't that useful, not allowing you to compare on anything and keep other data to output where the data came from. You'll have to use join or another strategy.

Here's one useful strategy ...

 your search that gets 1 OR your search that gets 2
| fields host sourcetype
| eval host=upper(host)
| stats values(sourcetype) as sourcetype by host
| where mvcount(sourcetype)<2

View solution in original post

Path Finder

Thank you for your answer. It's working as I'd want it to now, but I had couple of further questions:

  1. If I only wanted the alert to go off for a certain sourcetype, could I add another WHERE along the lines of "| where sourcetype = XXX", at the end of the search?

  2. Is there a way of doing this with using 'hostname' rather than 'host'? This is more out of preference since most of my searches are based on the former, but as the output is virtually the same, this isn't a priority.

0 Karma

SplunkTrust
SplunkTrust
  1. Yes.
  2. Sure, just change the variable name in all places.

    your search that gets 1 OR your search that gets 2
    | fields hostname sourcetype
    | eval hostname=upper(hostname)
    | stats values(sourcetype) as sourcetype by hostname
    | where mvcount(sourcetype)<2 AND sourcetype="whatever"

0 Karma

SplunkTrust
SplunkTrust

@sepkarimpour, can you add your search query in the question?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Let me throw this out there - having not used set diff at all, my first thought is to build a new field with something like ... | eval host_and_sourcetype = host . "--" . sourcetype and use that as your set/set diff.

Not quite a full answer, but if this works and is all you need, we can wordsmith it up and I can convert it to an Answer easily enough.

0 Karma

Super Champion

I agree with @rich7177 . |set will only bring back the one column so you'll want to |eval the information in your subsearches. remember, however, that there are limits with set.
http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Set

0 Karma