Reporting

Search command filtering not providing accurate results

Mary666
Communicator

Hello Splunk Community, 

I have two indexes: index=vc_xyz_idx  and index=xp_zzz_summary_idx and I am checking to see if a value named docNum is in the index=xp_zzz_summary_idx. The docNum should be in both indexes, but I am only interested in the docNum missing from index=xp_zzz_summary_idx .  I have created two eval's and renamed the indexes, since they both have the same field name - index. The issue is that I am getting false negatives. I have put in 
| search Missing_in_Blue="No"  because I only want the docNum that is missing in index=xp_zzz_summary_idx, but I get docNum that is actually in the  index=xp_zzz_summary_idx. Can someone please help?

(index="vc_xyz_idx")  OR (index="xp_zzz_summary_idx") | eval Blue=case(index=index="xp_zzz_summary_idx", docNum), Missing_in_Blue=if(docNum==xp_zzz_summary_idx, "Yes", "No") | search Missing_in_Blue="No"  | stats values(Missing_in_Blue) as Missing_in_Blue by docNum

 

Labels (1)
0 Karma
1 Solution

scelikok
Champion

Hi @Mary666,

Please try using below search;

(index="vc_xyz_idx") OR (index="xp_zzz_summary_idx") 
| stats dc(index) as count values(index) as indexes by docNum
| where count=1 AND indexes!="xp_zzz_summary_idx"
If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
Champion

Nice to know it helped you 🙂

Since there are many events count would be unpredicted number, that is why I used dc (distinct count) which will result 1 or 2 for sure. I just used count as a name to use in further commands easier.

If this reply helps you an upvote is appreciated.

Mary666
Communicator

Yes, this is exactly what I was struggling with - the count issue, since the count could be 1 or 2 for the index and I only needed those where the count=1 and I see how dc helped with that. Thanks for clarifying this for me. 

0 Karma

scelikok
Champion

Hi @Mary666,

Please try using below search;

(index="vc_xyz_idx") OR (index="xp_zzz_summary_idx") 
| stats dc(index) as count values(index) as indexes by docNum
| where count=1 AND indexes!="xp_zzz_summary_idx"
If this reply helps you an upvote is appreciated.

View solution in original post

Mary666
Communicator

Mainly just want to know why you used dc instead of values... 

0 Karma

Mary666
Communicator

Thanks! this seems to have worked 🙂 

Question why  use dc and name as count - just curious about your thought process here:

dc(index) as count 

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!