Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How match the two different search results

james_n
Path Finder
‎07-15-2020 10:22 AM

Hi, 

how to compare search1 results with search2 and list out how many matched and not matched.
EX: search1: index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job |table Job
search2:  index=** sourcetype=** |rename JOBS AS Job |dedup Job |table Job

sample data from search1:

Jobs

xxx

yyy

zzz

aaa

sample data from search2:

Jobs

aaa

bbb

ccc

ddd

xxx

ttt

Expected sample output:
search1 is returning 100 jobs and search2 is returning 200 jobs, we need to list out the jobs those are not matching search1 with search2
for example: out of 100 jobs if 40 matched with search2 remaining 60 not matched jobs list in search1 

Output:

Jobs

bbb

ccc

ddd

ttt

Tried |set diff command but not worked, Please help. Thanks in advance.
       

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 12:43 PM

Try a subsearch

index=** sourcetype=** NOT [ index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job | rename Job as JOBS | fields JOBS | format ]
| rename JOBS AS Job 
| dedup Job 
| table Job

This search looks for events in index ** which are not in index test.  I changed the field name in the subsearch to match the name used in the main search. 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

james_n
Path Finder
‎07-16-2020 02:23 AM

Hi @richgalloway ,

Thanks for the quick replay, Small mistake from my side that is required output. Please find the required output.

sample results from search1:

Jobs

xxx

yyy

zzz

aaa

sample data from search2:

Jobs

aaa

bbb

ccc

ddd

xxx

ttt

Expected output:

Jobs:

yyy

zzz

Please help me, Thanks in advance.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 06:21 AM

That changes things a bit..

index=test sourcetype=sample 
| rex "type=(?<Job>.*) " 
| dedup Job
| search NOT [ index=** sourcetype=** | rename JOBS AS Job | dedup Job | fields Job | format ] 
| table Job

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...