Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to receive delta from two different sources?

hillsmtb7
Explorer
‎05-24-2022 07:15 AM

We are trying to output computers that appear in index A but not appear in Index B.  We want to ensure computers are being deployed with the correct software on them.

Index A
----------------------------------------------------
| name | objectclass | field 1 | field 2 | field 3 |
----------------------------------------------------
| PC 1   | computer     | x           | x           | x           |
| PC 2   | computer     | x           | x           | x           |
| PC 3   | computer     | x           | x           | x           |
| PC 4   | computer     | x           | x           | x           |
| PC 5   | computer     | x           | x           | x           |
| PC 6   | computer     | x           | x           | x           |


Index B
----------------------------------------------------
| cname | objectclass | field 1 | field 2 | field 3 |
----------------------------------------------------
| PC 1     | computer     | x            | x           | x           |
| PC 2     | computer     | x            | x           | x           |
| PC 5     | computer     | x            | x           | x           |
| PC 6     | computer     | x            | x           | x           |

 

I need the output to only show PC 3 and 4 so this can be supplied to the proper team to install the application.  I have tried join with type left and outer.  Also I have attempted stats.  However, I believe my logic is wrong.

Your help is greatly appreciated.

Labels (1)
Labels
0 Karma
Reply

hillsmtb7
Explorer
‎05-24-2022 07:54 AM

That did not work.   It returns 0 results and when we run the indexes independently index A shows PC3 and index B does not contain PC3.  Could it be an issue with the filed names being different for the computer names?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2022 08:15 AM

Yes. Just rename one of the fields to the same name or use coalese() to eval the fields together i.e. when name is null, set it to cname.

0 Karma
Reply

hillsmtb7
Explorer
‎05-24-2022 08:30 AM

Negative GhostRider...did not work.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2022 08:46 AM

What have you tried?

0 Karma
Reply

hillsmtb7
Explorer
‎05-24-2022 09:11 AM

I have tried the first suggestion you provided.  Then on the rename of the filed I tried the following:

(index="A" ) OR (index="B" sourcetype="B.1")

| rename cname as name

| stats value(*) as * values(index) as index by name

| where mvcount(index)=1 AND index="A"

 

Just for clarity, I have ran the index independently and receive the following for PC3:

index="A" name=PC3 (Results: PC3 appears in the list for the past 30 days)

index="B" sourcetype="B.1" cname=PC3 (Results: PC3 does not appear for the past 30 days.)

Need only the machines that show up in index A and not in index B to display.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2022 09:34 AM

What do you get for this?

(index="A" ) OR (index="B" sourcetype="B.1")
| rename cname as name
| stats value(*) as * values(index) as index by name
| where name="PC3"
0 Karma
Reply

hillsmtb7
Explorer
‎05-24-2022 10:25 AM

hillsmtb7_0-1653412798645.png

This is what I get.   

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2022 10:53 AM

That would seem to suggest that PC3 doesn't exist in either index as that name - have the names been shortened or extended in either index or been modified e.g. uppercase, etc. - the names will have to match precisely (unless we do something different)?

0 Karma
Reply

hillsmtb7
Explorer
‎05-24-2022 11:57 AM

Well that's exactly not true as PC3 does exist on the first index just not in the second one when searched individually.

Index A

hillsmtb7_0-1653418577714.png

Index B

hillsmtb7_1-1653418595955.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2022 12:03 PM

The initial search is case insensitive. What do you find when you try it like this?

index="A"
| where name="PC3"
index="B"
| where name="PC3"
0 Karma
Reply

hillsmtb7
Explorer
‎05-24-2022 12:10 PM

I wont try index B cause there is no data there for that PC, but in index A I attempted the following:

index=A

| where name="PC3" (Results: Computer appears)

But when I search as follows:

index=A

| where name="pc3" (Results: Computer does not appear)

It is case sensitive at the where.  I thought it was case insensitive throughout.  Where do I change the case?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2022 12:46 PM

Try this

(index="A" OR index="B")
| eval name=upper(coalesce(name,cname))
| stats value(*) as * values(index) as index by name
| where mvcount(index)=1 AND index="A"
0 Karma
Reply

hillsmtb7
Explorer
‎05-24-2022 02:12 PM

We might be getting closer.  Why are we placing the following:

values(*) as *

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2022 10:06 PM

This is gathering the values from the two events into one event

indexnamefield1...
APC2xyz...
BPC2xyz...

become

indexnamefield1...
A, B (multi-value)PC2xyz...

index has a mvcount = 1 when it appears in only one index - which is what you are after, and you check that that index is "A" to find the ones that are in "A" and not "B"

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-24-2022 07:26 AM

Try something along these lines

(index="A" OR index="B")
| stats value(*) as * values(index) as index by name
| where mvcount(index)=1 AND index="A"
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...