Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare two searches and remove identical value to find the difference between the two searches

danje57
Path Finder
‎10-20-2016 04:57 AM

Hi,

I've CSV which contain groupe and user

Groupe Name, User
administrator,admin1
guest,admin2
guest,admin1
printer, admin1

I would like to make two search to retrieve groups from admin1 and admin2, and find and display the difference between them.

This is to find the difference in the role attribution of each user.

What is the best query to make with splunk.

I tried something like:

| set diff [search index="role_log" source="List_Of_all_Groups_With_USers" SamAccountName=admin1 | sort SamAccountName | stats values("Group Name") by "SamAccountName"] [search index="role_log" source="List_Of_all_Groups_With_USers" SamAccountName=admin2 | sort SamAccountName | stats values("Group Name") by "SamAccountName"]

OR this one

index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | sort SamAccountName | stats values("Group Name") by "SamAccountName"

But this display only groups for each user. in two lines.

But this don't indicate which groups is missing for admin1 or admin2, or also which group is added or not to each user.

0 Karma
Reply

sundareshr
Legend
‎10-20-2016 05:47 AM

Try this

index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc over "Group Name" by SamAccountName | where NOT (admin1=admin2)

*OR*

index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc over "Group Name" by SamAccountName | addtotals | where Total=1
0 Karma
Reply

danje57
Path Finder
‎10-20-2016 06:49 AM

Seems there is a statement error as chart dc over is not recognized

  • Error in 'chart' command: The specifier 'dc' is invalid. It must be in form (). For example: max(size).
0 Karma
Reply

danje57
Path Finder
‎10-20-2016 06:56 AM

This works fine:

  • index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc ("Group Name") over "Group Name" by SamAccountName | where NOT (admin1=admin2)
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...