Splunk Search

Compare two searches and remove identical value to find the difference between the two searches

danje57
Path Finder

Hi,

I've CSV which contain groupe and user

Groupe Name, User
administrator,admin1
guest,admin2
guest,admin1
printer, admin1

I would like to make two search to retrieve groups from admin1 and admin2, and find and display the difference between them.

This is to find the difference in the role attribution of each user.

What is the best query to make with splunk.

I tried something like:

| set diff [search index="role_log" source="List_Of_all_Groups_With_USers" SamAccountName=admin1 | sort SamAccountName | stats values("Group Name") by "SamAccountName"] [search index="role_log" source="List_Of_all_Groups_With_USers" SamAccountName=admin2 | sort SamAccountName | stats values("Group Name") by "SamAccountName"]

OR this one

index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | sort SamAccountName | stats values("Group Name") by "SamAccountName"

But this display only groups for each user. in two lines.

But this don't indicate which groups is missing for admin1 or admin2, or also which group is added or not to each user.

0 Karma

sundareshr
Legend

Try this

index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc over "Group Name" by SamAccountName | where NOT (admin1=admin2)

*OR*

index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc over "Group Name" by SamAccountName | addtotals | where Total=1
0 Karma

danje57
Path Finder

Seems there is a statement error as chart dc over is not recognized

  • Error in 'chart' command: The specifier 'dc' is invalid. It must be in form (). For example: max(size).
0 Karma

danje57
Path Finder

This works fine:

  • index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc ("Group Name") over "Group Name" by SamAccountName | where NOT (admin1=admin2)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...