Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare two events with multiple key value pairs

rizwan0683
Path Finder
‎02-09-2022 10:50 PM

I have two events that are semi-colon separated key value pairs. I have applied the extract command to parse the event into key value pairs. The aim is to compare the two events using the key and highlight the differences in values in a table format with the key as header and values as rows

Event 1
35=D; 54=2; 40=1; 11=abc

Event 2
35=G; 54=2; 40=2; 11=xyz

Result
35|40|11
D|1|abc
G|2|xyz

Which function will index my keys so that I may compare their values and report in the above format?

Extraction performed as follows:

<search> | extract pairdelim=";" kvdelim="\=" clean_keys=false

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-10-2022 02:05 AM

I am not sure I understand, here is a runanywhere example with the additional field still showing up as expected

| makeresults 
| eval _raw="35=D; 54=2; 40=1; 11=abc; 75=hellow
35=G; 54=2; 40=2; 11=xyz; 75=world"
| multikv noheader=t
| fields _raw
| fields - _time
| extract pairdelim=";" kvdelim="\=" clean_keys=f
| streamstats count as row
| eval row="row".row
| transpose 0 header_field=row column_name=row
| where row1!=row2
| transpose 0 header_field=row column_name=row
| fields - row _raw

ITWhisperer_0-1644487011661.png

As for your other example, all the columns have different values in, so all would be kept

What happens if there is no mapping, what is the field name in this instance?

View solution in original post

Reply
Solved! Jump to solution

rizwan0683
Path Finder
‎02-09-2022 11:26 PM

This seems to return the two events as _raw only

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2022 11:35 PM

You did add it after your extract, right?

Please can you share your query?

Reply
Solved! Jump to solution

rizwan0683
Path Finder
‎02-09-2022 11:41 PM

yes after extract as follows 

<base search>
| extract pairdelim=";" kvdelim="\=" clean_keys=false 
| streamstats count as row
| eval row="row".row
| transpose 0 header_field=row column_name=row
| where row1!=row2
| transpose 0 header_field=row column_name=row
| fields - row

 

note the base search returns two events

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2022 11:50 PM

Here is a runanywhere example based on your sample events showing it working

| makeresults 
| eval _raw="35=D; 54=2; 40=1; 11=abc
35=G; 54=2; 40=2; 11=xyz"
| multikv noheader=t
| fields _raw
| fields - _time
| extract pairdelim=";" kvdelim="\=" clean_keys=f
| streamstats count as row
| eval row="row".row
| transpose 0 header_field=row column_name=row
| where row1!=row2
| transpose 0 header_field=row column_name=row
| fields - row

Are your real events significantly different to your examples?

Reply
Solved! Jump to solution

rizwan0683
Path Finder
‎02-10-2022 12:42 AM

Firstly apologies, my first response was incorrect. Your code did in fact bring back _raw events as well as the output of comparing the fields and tabulating them. I had missed those as the _raw events were long and took up the width of the screen and I didn't scroll across. So it appears to be working however, the final output is not as expected. 

The real life data is slightly different but I don't believe it is affecting the output (e.g. timestamp field)

My actual output looks like this

 

_time | date_minute | date_second |  tag_35 | tag_52 | tag_60
2022-02-09T16:33:04.956+0000 | 33 | 4 |  G | 20220209-16:33:04.955 | 20220209-16:33:04.955
2022-02-09T16:31:42.611+0000 | 31 | 42 |  D | 20220209-16:31:42.610 | 20220209-16:31:42.610

 

 

These are genuine differences however, there are more fields that have differences not being reported here.

notes:

The first 3 columns are expected as the data does differ in those fields.
The headers for last 4 fields are taken from a dictionary I maintain and can access via inputlookup. In this dictionary key "11" has been mapped to a header named "tag_11".

I note that the keys with differences that are not showing up, happen to be those that DON'T have a mapping in this dictionary. Using my original example:

Event 1
35=D; 54=2; 40=1; 11=abc; 75=hellow

Event 2
35=G; 54=2; 40=2; 11=xyz; 75=world

Your code is generating the equivalent of this output: 

Result
35|40|11
D|1|abc
G|2|xyz

i.e 75 is omitted, despite having a difference. 

Keys 35, 54, 40, 11 are mapped in this dictionary 
Key 75 is not. 

Would this cause the discrepancy in the result?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-10-2022 02:05 AM

I am not sure I understand, here is a runanywhere example with the additional field still showing up as expected

| makeresults 
| eval _raw="35=D; 54=2; 40=1; 11=abc; 75=hellow
35=G; 54=2; 40=2; 11=xyz; 75=world"
| multikv noheader=t
| fields _raw
| fields - _time
| extract pairdelim=";" kvdelim="\=" clean_keys=f
| streamstats count as row
| eval row="row".row
| transpose 0 header_field=row column_name=row
| where row1!=row2
| transpose 0 header_field=row column_name=row
| fields - row _raw

ITWhisperer_0-1644487011661.png

As for your other example, all the columns have different values in, so all would be kept

What happens if there is no mapping, what is the field name in this instance?

Reply
Solved! Jump to solution

rizwan0683
Path Finder
‎02-10-2022 02:17 AM

>>What happens if there is no mapping, what is the field name in this instance?

I would expect the key name to display e.g.  35,11,75.

Would it be an issue if the data was arranged randomly e.g.

 

Event 1
35=D; 54=2; 40=1; 11=abc; 75=hellow

Event 2
54=2; 11=xyz; 75=world; 40=2; 35=G

 

Can you help breakdown what your code is doing please, specifically 

 

 

| eval row="row".row

 

 

 
 
Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-10-2022 02:52 AM

Specifically

| streamstats count as row
| eval row="row".row

Is adding a field called row with a unique number,; this is then prepended with the string "row" so that, when the transpose is done, there are two fields with known names (row1 and row2) for the where command to be able to compare across the two columns (previously rows)

The order doesn't matter because the extract is putting them into the right fields

| makeresults 
| eval _raw="35=D; 54=2; 40=1; 11=abc; 75=hellow
54=2; 11=xyz; 75=world; 40=2; 35=G"
| multikv noheader=t
| fields _raw
| fields - _time
| extract pairdelim=";" kvdelim="\=" clean_keys=f
| streamstats count as row
| eval row="row".row
| transpose 0 header_field=row column_name=row
| where row1!=row2
| transpose 0 header_field=row column_name=row
| fields - row _raw
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-09-2022 11:11 PM

For two events, you could do this:

| streamstats count as row
| eval row="row".row
| transpose 0 header_field=row column_name=row
| where row1!=row2
| transpose 0 header_field=row column_name=row
| fields - row

If you have more than 2 events, you will need to be more specific about the comparisons for which fields from the events you want to keep

Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...