Hello Splunk Community,
I have two indexes: index=vc_xyz_idx and index=xp_zzz_summary_idx and I am checking to see if a value named docNum is in the index=xp_zzz_summary_idx. The docNum should be in both indexes, but I am only interested in the docNum missing from index=xp_zzz_summary_idx . I have created two eval's and renamed the indexes, since they both have the same field name - index. The issue is that I am getting false negatives. I have put in
| search Missing_in_Blue="No" because I only want the docNum that is missing in index=xp_zzz_summary_idx, but I get docNum that is actually in the index=xp_zzz_summary_idx. Can someone please help?
(index="vc_xyz_idx") OR (index="xp_zzz_summary_idx") | eval Blue=case(index=index="xp_zzz_summary_idx", docNum), Missing_in_Blue=if(docNum==xp_zzz_summary_idx, "Yes", "No") | search Missing_in_Blue="No" | stats values(Missing_in_Blue) as Missing_in_Blue by docNum
Hi @Mary666,
Please try using below search;
(index="vc_xyz_idx") OR (index="xp_zzz_summary_idx")
| stats dc(index) as count values(index) as indexes by docNum
| where count=1 AND indexes!="xp_zzz_summary_idx"
Nice to know it helped you 🙂
Since there are many events count would be unpredicted number, that is why I used dc (distinct count) which will result 1 or 2 for sure. I just used count as a name to use in further commands easier.
Yes, this is exactly what I was struggling with - the count issue, since the count could be 1 or 2 for the index and I only needed those where the count=1 and I see how dc helped with that. Thanks for clarifying this for me.
Hi @Mary666,
Please try using below search;
(index="vc_xyz_idx") OR (index="xp_zzz_summary_idx")
| stats dc(index) as count values(index) as indexes by docNum
| where count=1 AND indexes!="xp_zzz_summary_idx"
Mainly just want to know why you used dc instead of values...
Thanks! this seems to have worked 🙂
Question why use dc and name as count - just curious about your thought process here:
dc(index) as count