- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Compare Two Fields with different Names on dif...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Guys,
i have 2 Index index a and index b
on index a i have a field called nachrichtId
on index b i have a field called originalId
this both fields have the Same string (Value)
i want to write now a Search where i can found out if i have some nachrichtId events on Index a but no originalId on index b.
I want to find out if i have some problems with my Events or if i have a gap between this 2 Indexes
can anyone help me please Thank you 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mklhs,
If you're value is already in a field lets call it field_value you can run a search as follows :
index= nachrichtId OR index=originalId
| stats dc(index) as condition by field_value
| where condition<2
If the value is not extracted and its the whole event you wish to compare then you can use the _raw field:
index= nachrichtId OR index=originalId
| stats dc(index) as condition by _raw
| where condition<2
Let me know if that helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mklhs,
If you're value is already in a field lets call it field_value you can run a search as follows :
index= nachrichtId OR index=originalId
| stats dc(index) as condition by field_value
| where condition<2
If the value is not extracted and its the whole event you wish to compare then you can use the _raw field:
index= nachrichtId OR index=originalId
| stats dc(index) as condition by _raw
| where condition<2
Let me know if that helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank for your Answer but i dont know if this is right for me
I have 2 indexes
in index 1 i have an event with a field named Nachrichtentid
this field has the value foobar
in index 2 i have an event with a field named OriginalId
this field also has the value foobar
I want to find out which events are not forwarded by index 1 and index 2, so where events are missing here. In both indexes the events have only these 2 fields as unique value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First you need to make sure that this ID has the same name in both indexes to make it easier to join without using the join command. So first create an alias, call it joinID or something. Then run the search below :
index=index1 OR index=index2
| stats dc(index) as condition by joinID
| where condition<2
This will fetch data from both indexes and see which ID is in less than 2 indexes.
If you also wish to know which index has the missing event, you can run the following:
index=index1 OR index=index2
| stats dc(index) as condition, values(index) as index by joinID
| where condition<2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats works for me Thank you for your Help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome !
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
