Solved: Compare Two Different Fields in a Multisearch

dsitek · ‎07-24-2019

I am trying to obtain a list of ids for orders that were abandoned/forgotten and never received a submit. I have a multisearch that finds a list of all ids when they are created and another search that finds the ids when they are submitted. I would like to find all of the values that appear only in the first list. Is there a command to do this without comparing two lookups? Here is my search:
| multisearch [ search create call" | extract id ] [ search submit call | extract id ] | table created_cart_id submitted_cart_id

dsitek · ‎07-24-2019

I just posted this but the most obvious solution hit me in the face. After the table command, rename both fields to be the same, count them, and select only ones that appear once.
rename created_cart_id AS cart_id, submitted_cart_idea AS cart_id | stats count by cart_id | where count=1

View solution in original post

dsitek · ‎07-24-2019

I just posted this but the most obvious solution hit me in the face. After the table command, rename both fields to be the same, count them, and select only ones that appear once.
rename created_cart_id AS cart_id, submitted_cart_idea AS cart_id | stats count by cart_id | where count=1

Compare Two Different Fields in a Multisearch

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!