Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How match the two different search results

james_n
Path Finder
‎07-15-2020 10:22 AM

Hi, 

how to compare search1 results with search2 and list out how many matched and not matched.
EX: search1: index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job |table Job
search2:  index=** sourcetype=** |rename JOBS AS Job |dedup Job |table Job

sample data from search1:

Jobs

xxx

yyy

zzz

aaa

sample data from search2:

Jobs

aaa

bbb

ccc

ddd

xxx

ttt

Expected sample output:
search1 is returning 100 jobs and search2 is returning 200 jobs, we need to list out the jobs those are not matching search1 with search2
for example: out of 100 jobs if 40 matched with search2 remaining 60 not matched jobs list in search1 

Output:

Jobs

bbb

ccc

ddd

ttt

Tried |set diff command but not worked, Please help. Thanks in advance.
       

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 12:43 PM

Try a subsearch

index=** sourcetype=** NOT [ index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job | rename Job as JOBS | fields JOBS | format ]
| rename JOBS AS Job 
| dedup Job 
| table Job

This search looks for events in index ** which are not in index test.  I changed the field name in the subsearch to match the name used in the main search. 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

james_n
Path Finder
‎07-16-2020 02:23 AM

Hi @richgalloway ,

Thanks for the quick replay, Small mistake from my side that is required output. Please find the required output.

sample results from search1:

Jobs

xxx

yyy

zzz

aaa

sample data from search2:

Jobs

aaa

bbb

ccc

ddd

xxx

ttt

Expected output:

Jobs:

yyy

zzz

Please help me, Thanks in advance.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 06:21 AM

That changes things a bit..

index=test sourcetype=sample 
| rex "type=(?<Job>.*) " 
| dedup Job
| search NOT [ index=** sourcetype=** | rename JOBS AS Job | dedup Job | fields Job | format ] 
| table Job

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...