Splunk Enterprise

File Compare and Display

akankshayadav
Path Finder

Consider, i have two files. File1 and File2 

File1 and File2 got indexed last month with events in file1 say A ,B  and events in file2 say C,D .

They again got indexed today, file1 with same events A and B but file2 with C,D,E,F. This means that file2 modified version has different events as compared to it's last version.

Now , i need to display in the panel all files like file2 whose current events are different from last events. 

Thanks in advance!

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Count the events by type and month, where there is only one e.g. E and F, these are new events.

0 Karma

akankshayadav
Path Finder

Can any code be provided? Below is my dashboard, might be useful for reference. 1st panel has the different version of files and 2nd panel has the unique events in each . Any help?

akankshayadav_1-1624000934534.png

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not tremendously helpful since it isn't clear where Events have come from or whether InvVersion represents the different months, but assuming Events is a collection of Events and InvVersion are the different months, then

| stats count values(InvVersion) as InvVersion by Events File
| where count=1
0 Karma

akankshayadav
Path Finder

Your assumptions are correct but the 2nd panel is dependent on the 1st panel. when i click the file in 1st panel, the 2nd one gets display by drilldown. The view you are seeing in 2nd panel is of unique events of  one file in different versions. Now from this , there are numerous files with such differences. Some have unique events, some don't . How can i display the name of files who have different events in the versions?

For simplicity , instead of taking 4 versions of a file(as in my dashboard which a shared the pic) , lets assume there are only two versions.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is not clear whether the events are unique within each file for each version so assuming they aren't you can count them and ignore the count, then count the number of versions each combination of event and file there are. Any with this second count as 1 only occurs in one of the file versions

| stats count by InvVersion Events File
| stats count by Events File
| where count=1
| dedup File
| table File
0 Karma

akankshayadav
Path Finder

Panel 2 displays the Events unique in each version of a file . i.e count=1 of _raw in each version of file.

I need the names of all the files whose versions have unique events . i.e if first version of file1 has A B and second version has A C  , and file2 has A and B in both events then file1 should be my answer.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried my suggestion? Here is a runanywhere version to show it working with the data you suggested

| makeresults 
| eval _raw="InvVersion,File,Events
1,file1,A
1,file1,B
2,file1,A
2,file1,C
1,file2,A
1,file2,B
2,file2,A
2,file2,B"
| multikv forceheader=1
| fields - _* linecount


| stats count by InvVersion Events File
| stats count by Events File
| where count=1
| dedup File
| table File

akankshayadav
Path Finder

The solution which you suggested, where can i put this in my code but it's not working for some files like

akankshayadav_0-1624254693976.png

here the pas.csv has a different event in a version but the name of this file is not displayed in output

akankshayadav_1-1624254771552.png

 

 

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Replace line 5-7 with

| stats count by InvVersion path file
| stats count by path file
| where count=1
| dedup file
| table file
0 Karma

akankshayadav
Path Finder

This is displaying the names of all files , not the files only with different events

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this - I was not taking into account  multiple copies of the different versions

| eval path=trim(path)
| eval file=trim(file)
| stats count by InvVersion path file
| stats count by path file
| stats dc(count) as versions by file
| where versions>1
| dedup file
| table file

Also, is it possible that either or both path and file have trailing spaces?

0 Karma

akankshayadav
Path Finder

No results displayed

akankshayadav_0-1624256991377.png

NO trailing spaces

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Remove lines 7 and 8 - they were from setting up sample data, not part of the solution

0 Karma

akankshayadav
Path Finder

akankshayadav_0-1624258301900.png

Still no output sir

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Remove line 7

0 Karma

akankshayadav
Path Finder

akankshayadav_0-1624258797623.png

 

Still no output sir. What is the logic of |ine 10?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Another approach

| makeresults
| eval _raw="InvVersion,File,Events
1,file1,A B
2,file1,A B
3,file1,A B C
4,file1,A B C
1,file2,M N
2,file2,M N
3,file2,M O
4,file2,M P
1,file3,A
1,file3,B
2,file3,A
2,file3,B
3,file3,A
3,file3,B
3,file3,C
4,file3,A
4,file3,B
4,file3,C
1,file4,M N
2,file4,M N
3,file4,M N
4,file4,M N
1,file5,M
1,file5,N
2,file5,M
2,file5,N
3,file5,M
3,file5,N
4,file5,M
4,file5,N"
| multikv forceheader=1
| fields - _* linecount
| stats count by InvVersion Events File
| eventstats dc(InvVersion) as versions by File
| stats values(versions) as versions count by Events File
| where versions>count
| dedup File
| table File

akankshayadav
Path Finder

No output for the exact same . Did you get the output?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What does your search look like now?

akankshayadav
Path Finder

I tried with my use case (little unique), with a single line modification , and it's working. And your code is also working. Thanks a ton.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...