Solved: Compare Two Different Fields in a Multisearch

dsitek · ‎07-24-2019

I am trying to obtain a list of ids for orders that were abandoned/forgotten and never received a submit. I have a multisearch that finds a list of all ids when they are created and another search that finds the ids when they are submitted. I would like to find all of the values that appear only in the first list. Is there a command to do this without comparing two lookups? Here is my search:
| multisearch [ search create call" | extract id ] [ search submit call | extract id ] | table created_cart_id submitted_cart_id

dsitek · ‎07-24-2019

I just posted this but the most obvious solution hit me in the face. After the table command, rename both fields to be the same, count them, and select only ones that appear once.
rename created_cart_id AS cart_id, submitted_cart_idea AS cart_id | stats count by cart_id | where count=1

View solution in original post

dsitek · ‎07-24-2019

I just posted this but the most obvious solution hit me in the face. After the table command, rename both fields to be the same, count them, and select only ones that appear once.
rename created_cart_id AS cart_id, submitted_cart_idea AS cart_id | stats count by cart_id | where count=1

Compare Two Different Fields in a Multisearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation