Compare data between multi column tables and find ...

renSplunk · ‎01-27-2021

Hi,

I have a query that gives a table of records satisfying certain condition. Have another query that gives the same result fields, but with a different search string.
Now I want to find the ones that are present in first result and not in the second one
Query1 : index=mail sourcetype=testmail "Search condition 1" | table field1 field2 field3 | dedup field1 field2 field3
Query2 : index=mail sourcetype=testmail "Search condition 2" | table field1 field2 field3 | dedup field1 field2 field3
How do I find the one that is only present in Query 1 and then list it as a table with all 3 fields?

to4kawa · ‎01-28-2021

index=mail sourcetype=testmail "Search condition 1" OR "Search condition 2"
| eval condition1=if(searchmatch("Search condition 1"),"y","n")
| eval condition2=if(searchmatch("Search condition 2"),"y","n")
| table field1 field2 field3 condition*

manjunathmeti · ‎01-27-2021

You can use NOT,

 index=mail sourcetype=testmail "Search condition 1"  NOT "Search condition 2" | table field1 field2 field3 | dedup field1 field2 field3

renSplunk · ‎01-28-2021

I tried it, but it gives me only the first search results. What I want is to search for both and then find the difference between them

Compare data between multi column tables and find difference

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation