Solved: Re: Comparing results from two searches

rupeshn · ‎09-04-2019

index="A" sourcetype=B action=Yes

| search NOT [ search index="A" sourcetype=B action="No" | fields User ] | stats count by User .

Here I'm trying to get user whose action is Yes. But whenever users get 'Yes' they get 'No' as well in 20% of cases at same time.
So I want those 80% users who are having action as only Yes.

Could you please help.

solarboyz1 · ‎09-04-2019

So, you looking for users who only received one of the two actions?

Using a subsearch has it's limits:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Useasubsearch

You could accomplish something similar with the following:

index="A" sourcetype=B action=Yes  OR action=No
| stats dc(action) as action_count by User
| search action_count<2

View solution in original post

solarboyz1 · ‎09-04-2019

So, you looking for users who only received one of the two actions?

Using a subsearch has it's limits:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Useasubsearch

You could accomplish something similar with the following:

index="A" sourcetype=B action=Yes  OR action=No
| stats dc(action) as action_count by User
| search action_count<2

rupeshn · ‎09-04-2019

@kmaron ,I've tried the query posted by you. But it still gives both the users.

rupeshn · ‎09-04-2019

I mean users with both actions.

rupeshn · ‎09-07-2019

Hi kmaron,

I'm getting output but i believe the output that i'm getting is very less(less number of records) than what it should be.

solarboyz1 · ‎09-09-2019

If you think the results are incorrect, you can break the search down and review the data:

index="A" sourcetype=B action=Yes  OR action=No
 | stats dc(action) as action_count, values(action) as action, by User

Will show all the results, you can sort by action_count, action, etc.. Look for anomalous values for action.

kmaron · ‎09-04-2019

please share the output you got

kmaron · ‎09-04-2019

That would also give you the No people.

But changing it to

 index="A" sourcetype=B action=Yes  OR action=No
 | stats dc(action) as action_count values(action) as action by User
 | search action_count<2 AND action=Yes

Would be only Yes's.

solarboyz1 · ‎09-04-2019

good catch!

rupeshn · ‎09-04-2019

I've tried the query posted by you. But it still gives both the users.

rupeshn · ‎09-04-2019

When i run above query I'm getting results of both users i.e., action=Yes and action= No. I'mm not sure where this Query went wrong

kmaron · ‎09-04-2019

Are you only going to have a single Yes and/or a single No for a user? So the most entries you would have for a single user is 2?

Comparing results from two searches

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases