Splunk Enterprise Security

Compare Two Fields with different Names on different Index

Path Finder

Hello Guys,

i have 2 Index index a and index b
on index a i have a field called nachrichtId
on index b i have a field called originalId
this both fields have the Same string (Value)

i want to write now a Search where i can found out if i have some nachrichtId events on Index a but no originalId on index b.

I want to find out if i have some problems with my Events or if i have a gap between this 2 Indexes

can anyone help me please Thank you 🙂

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi @mklhs,

If you're value is already in a field lets call it field_value you can run a search as follows :

index= nachrichtId OR index=originalId
| stats dc(index) as condition by field_value
| where condition<2

If the value is not extracted and its the whole event you wish to compare then you can use the _raw field:

index= nachrichtId OR index=originalId
| stats dc(index) as condition by _raw
| where condition<2

Let me know if that helps.

Cheers,
David

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi @mklhs,

If you're value is already in a field lets call it field_value you can run a search as follows :

index= nachrichtId OR index=originalId
| stats dc(index) as condition by field_value
| where condition<2

If the value is not extracted and its the whole event you wish to compare then you can use the _raw field:

index= nachrichtId OR index=originalId
| stats dc(index) as condition by _raw
| where condition<2

Let me know if that helps.

Cheers,
David

View solution in original post

0 Karma

Path Finder

Thank for your Answer but i dont know if this is right for me

I have 2 indexes
in index 1 i have an event with a field named Nachrichtentid
this field has the value foobar
in index 2 i have an event with a field named OriginalId
this field also has the value foobar

I want to find out which events are not forwarded by index 1 and index 2, so where events are missing here. In both indexes the events have only these 2 fields as unique value.

0 Karma

SplunkTrust
SplunkTrust

First you need to make sure that this ID has the same name in both indexes to make it easier to join without using the join command. So first create an alias, call it joinID or something. Then run the search below :

 index=index1 OR index=index2
 | stats dc(index) as condition by joinID
 | where condition<2

This will fetch data from both indexes and see which ID is in less than 2 indexes.

If you also wish to know which index has the missing event, you can run the following:

 index=index1 OR index=index2
 | stats dc(index) as condition, values(index) as index by joinID
 | where condition<2

Path Finder

Thats works for me Thank you for your Help

0 Karma

SplunkTrust
SplunkTrust

you're welcome !

0 Karma