Solved: Re: Compare Two Different Fields in a Multisearch

dsitek · ‎07-24-2019

I am trying to obtain a list of ids for orders that were abandoned/forgotten and never received a submit. I have a multisearch that finds a list of all ids when they are created and another search that finds the ids when they are submitted. I would like to find all of the values that appear only in the first list. Is there a command to do this without comparing two lookups? Here is my search:
| multisearch [ search create call" | extract id ] [ search submit call | extract id ] | table created_cart_id submitted_cart_id

dsitek · ‎07-24-2019

I just posted this but the most obvious solution hit me in the face. After the table command, rename both fields to be the same, count them, and select only ones that appear once.
rename created_cart_id AS cart_id, submitted_cart_idea AS cart_id | stats count by cart_id | where count=1

View solution in original post

dsitek · ‎07-24-2019

I just posted this but the most obvious solution hit me in the face. After the table command, rename both fields to be the same, count them, and select only ones that appear once.
rename created_cart_id AS cart_id, submitted_cart_idea AS cart_id | stats count by cart_id | where count=1

Compare Two Different Fields in a Multisearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation