Splunk Search

Can I compare a field from two or more subsearches?

rune_hellem
Contributor

We have three environments test, stage and prod where we run a script that creates a log file that pr. event lists name of environment, application name, buildversion for the app and the cluster it is installed to, like

12.06.2015 10:13:32,935 cellName=test applicationName=useradmin-ear buildVersion=1.7.0 clusterName=InternalCluster

My plan is to create script that creates a table in our documentation wiki showing a table with the environments as columns and applicationnames as rows the buildVersion and then mark the differences.

But then it struck me that I could save me all that work if I am able to create a search in Splunk doing this. That would be

search in indexes test,stage and prod 
find all applicationNames
where buildVersion is not equal in all indexes
show result in a table as applicationName,test.buildVersion,stage.buildVersion, prod.buildVersion

I did try to play around with the set command without to much luck so far.

set intersect [search index=stage  source="E:\\logs\allApplicationsWithDetails.log" | fields applicationName,buildVersion] [search index=test source="E:\\logs\\allApplicationsWithDetails.log" | fields applicationName,buildVersion]

well aware of the fact that this might be a long shot...

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

(index=test OR index=stage OR index=prod) source="E:\\logs\allApplicationsWithDetails.log" | stats dc(buildVersion) AS numVersions list(buildVersion) AS versions list(index) AS indices BY applicationName | where numVersions > 1

The 2 lists map value-to-value (the first value in indices goes with the first value in versions)

View solution in original post

woodcock
Esteemed Legend

Try this:

(index=test OR index=stage OR index=prod) source="E:\\logs\allApplicationsWithDetails.log" | stats dc(buildVersion) AS numVersions list(buildVersion) AS versions list(index) AS indices BY applicationName | where numVersions > 1

The 2 lists map value-to-value (the first value in indices goes with the first value in versions)

View solution in original post

rune_hellem
Contributor

Thanks!

That does it...saves me hours of Powershell-scripting.

R.

0 Karma

woodcock
Esteemed Legend

Why are you still using Powershell? I ditched it after my first use of MobaXterm.

0 Karma

rune_hellem
Contributor

Tempting, but as it is said: "Choose your battles..." and when working in a company running Windows all over introducing something like MobaXterm is just for the few, not for the masses, so Powershell is the path of least resistance 🙂

0 Karma

woodcock
Esteemed Legend

Powershell is for Windows people and MobaXterm is for *nix people. IMHO, if you have *nix people on staff and not providing something like MobaXterm, you hare seriously hamstringing them and cratering their productivity.

0 Karma