Dears,
We have two fields in the one index, we need to compare two fields then create a new field to show only on it the difference between two fields.
Below one of example from the results from two fields:
current_conf field:
_Name:REQ000004543448-4614240-shrepoint
previous_conf field:
_Name:REQ000004543448-shrepoint
Please your support.
 
		
		
		
		
		
	
			
		
		
			
					
		It depends on what else is consistent between your fields - in your example, you could do this
| rex field=current_conf "\-(?<diff>\d+)\-"to extract the extra digits.
 
		
		
		
		
		
	
			
		
		
			
					
		When you are referring to the difference between two strings, you should be more specific. For example, what would you expect to have been shown for your example?
Having said that, I suspect that it is non-trivial and not something that is supported out-of-the-box.
Hi @ITWhisperer.
The results that I need from my example, create new field contain the deference between two fields that it is "4614240".
current_conf field:
_Name:REQ000004543448-4614240-shrepoint
previous_conf field:
_Name:REQ000004543448-shrepoint
Best Regards,
 
		
		
		
		
		
	
			
		
		
			
					
		Why not "4614240-" or "-4614240"?
What if your fields were "_Name:REQ000004543448-4614240-shrepoint" and "_Name:REQ000005543448-shrepoint"?
What about "_Name:REQ000004543448-4614240-shrepoint" and "_Name:REQ000004543448-4614240-shrepoint " (extra space at the end)?
What about " _Name:REQ000004543448-4614240-shrepoint" and "_Name:REQ000004543448-4614240-shrepoint" (extra space at the beginning)?
Why not "4614240-" or "-4614240"?
No problem, we can show the field result with "-" in the begging or end, it is not big deal.
Regarding the others below questions, only need to show the deference between two fields.
Best Regards,
 
		
		
		
		
		
	
			
		
		
			
					
		It kind of is a big deal. The requirement is too vague and not fully described, or it can be taken as being very specific as in you only want it applied to those exact examples you have given. The second example looks like it has two differences (the 5 instead of 4, and the extra numbers), how would you like to show that? The leading space in the fourth example means that every character position is different between the two fields. The trailing space example is identical apart from the extra space in one of the fields, does this matter, or should it be stripped before the comparison?
We humans can "easily" recognise the differences between these strings, but teaching a machine to do this is non-trivial, especially with the limited capabilities available in Splunk. It is not a tool designed for detecting these sorts of differences.
Hi,
current_conf field:
_Name:REQ000004543448-4614240-shrepoint
previous_conf field:
_Name:REQ000004543448-shrepoint
Yes I understood you, we just need to know the different number between two fields, that it is "4614240" without - end and beginning.
So can we do that or, it is not?
 
		
		
		
		
		
	
			
		
		
			
					
		It depends on what else is consistent between your fields - in your example, you could do this
| rex field=current_conf "\-(?<diff>\d+)\-"to extract the extra digits.
Ok Mr, after extract, what is the next step.
 
		
		
		
		
		
	
			
		
		
			
					
		That depends on what you are trying to achieve. The extract will give you a non-null value if the field matches the pattern, you you could filter on this
| where isnotnull(diff)Yes, then, please share with me the full search.
Thank you
 
		
		
		
		
		
	
			
		
		
			
					
		What do you have so far?
Actually now I tried below search for find the deference between two fields that the results separated by "," not by "-", see the search and results for the fields below:
current_conf field:
previous_conf field:
Search query:
my search
| rex field=current_conf "(?<h>[^)]+)" | eval SESSION_A=split(h,",") | mvexpand SESSION_A
| rex field=previous_conf "(?<B>[^)]+)" | eval SESSION_B=split(B,",") | mvexpand SESSION_B | where isnotnull(SESSION_A) | where isnotnull(SESSION_B)
| stats count,list(SESSION_A) as SESSION_A,list(SESSION_B) as SESSION_B by current_conf previous_conf
| where SESSION_B!=SESSION_A
But the search is not work.
Please your support.
