Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How match the two different search results

james_n
Path Finder
‎07-15-2020 10:22 AM

Hi, 

how to compare search1 results with search2 and list out how many matched and not matched.
EX: search1: index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job |table Job
search2:  index=** sourcetype=** |rename JOBS AS Job |dedup Job |table Job

sample data from search1:

Jobs

xxx

yyy

zzz

aaa

sample data from search2:

Jobs

aaa

bbb

ccc

ddd

xxx

ttt

Expected sample output:
search1 is returning 100 jobs and search2 is returning 200 jobs, we need to list out the jobs those are not matching search1 with search2
for example: out of 100 jobs if 40 matched with search2 remaining 60 not matched jobs list in search1 

Output:

Jobs

bbb

ccc

ddd

ttt

Tried |set diff command but not worked, Please help. Thanks in advance.
       

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 12:43 PM

Try a subsearch

index=** sourcetype=** NOT [ index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job | rename Job as JOBS | fields JOBS | format ]
| rename JOBS AS Job 
| dedup Job 
| table Job

This search looks for events in index ** which are not in index test.  I changed the field name in the subsearch to match the name used in the main search. 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

james_n
Path Finder
‎07-16-2020 02:23 AM

Hi @richgalloway ,

Thanks for the quick replay, Small mistake from my side that is required output. Please find the required output.

sample results from search1:

Jobs

xxx

yyy

zzz

aaa

sample data from search2:

Jobs

aaa

bbb

ccc

ddd

xxx

ttt

Expected output:

Jobs:

yyy

zzz

Please help me, Thanks in advance.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 06:21 AM

That changes things a bit..

index=test sourcetype=sample 
| rex "type=(?<Job>.*) " 
| dedup Job
| search NOT [ index=** sourcetype=** | rename JOBS AS Job | dedup Job | fields Job | format ] 
| table Job

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...