Solved: How to compare 2 lists from 2 different searches ?

utk123 · ‎10-09-2019

I have 2 different searches to create 2 hosts list, and I want below from splunk search:
1. Find all hosts from 1st search from a csv.
2. Find few hosts from different 2nd search with a criteria.
3. Find any host which is in List1 but not in List2, and populate in 3rd list.

Example:
List1 from search1 - Host1, Host2, Host3, Host6, Host7
List2 from search2 - Host2, Host3, Host4, Host5
List3 should be - Host1, Host6, Host7

My current splunk search listed below is showing all non-duplicate host from List1 & List2, which is not what I want.
Currently from below search my List3 shows me - Host1, Host4, Host5, Host6, Host7

Thanks in advance.

renjith_nair · ‎10-09-2019

@utk123,

Test this with your data

| inputlookup hostlist.csv | rename host as hostname|eval source="one"
| append [| search index=aaa AND bbb | rename name as hostname|eval source="two"]
| stats values(source) as source,count by hostname | where count == 1 AND source="one"

Happy Splunking!

View solution in original post

renjith_nair · ‎10-09-2019

@utk123,

Test this with your data

| inputlookup hostlist.csv | rename host as hostname|eval source="one"
| append [| search index=aaa AND bbb | rename name as hostname|eval source="two"]
| stats values(source) as source,count by hostname | where count == 1 AND source="one"

Happy Splunking!

utk123 · ‎10-09-2019

Thanks, above solution works.

How to compare 2 lists from 2 different searches ?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!