How match the two different search results

james_n · ‎07-15-2020

Jobs

xxx

yyy

zzz

aaa

sample data from search2:

Jobs

aaa

bbb

ccc

ddd

xxx

ttt

Expected sample output:
search1 is returning 100 jobs and search2 is returning 200 jobs, we need to list out the jobs those are not matching search1 with search2
for example: out of 100 jobs if 40 matched with search2 remaining 60 not matched jobs list in search1

Output:

Jobs

bbb

ccc

ddd

ttt

Tried |set diff command but not worked, Please help. Thanks in advance.

richgalloway · ‎07-15-2020

Try a subsearch

index=** sourcetype=** NOT [ index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job | rename Job as JOBS | fields JOBS | format ]
| rename JOBS AS Job 
| dedup Job 
| table Job

This search looks for events in index ** which are not in index test. I changed the field name in the subsearch to match the name used in the main search.

---
If this reply helps you, Karma would be appreciated.

james_n · ‎07-16-2020

Hi @richgalloway ,

Thanks for the quick replay, Small mistake from my side that is required output. Please find the required output.

sample results from search1:

Jobs

xxx

yyy

zzz

aaa

sample data from search2:

Jobs

aaa

bbb

ccc

ddd

xxx

ttt

Expected output:

Jobs:

yyy

zzz

Please help me, Thanks in advance.

richgalloway · ‎07-16-2020

That changes things a bit..

index=test sourcetype=sample 
| rex "type=(?<Job>.*) " 
| dedup Job
| search NOT [ index=** sourcetype=** | rename JOBS AS Job | dedup Job | fields Job | format ] 
| table Job

---
If this reply helps you, Karma would be appreciated.

How match the two different search results

other

visualization

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?