Splunk Search

Compare two searches and remove identical value to find the difference between the two searches

Path Finder

Hi,

I've CSV which contain groupe and user

Groupe Name, User
administrator,admin1
guest,admin2
guest,admin1
printer, admin1

I would like to make two search to retrieve groups from admin1 and admin2, and find and display the difference between them.

This is to find the difference in the role attribution of each user.

What is the best query to make with splunk.

I tried something like:

| set diff [search index="rolelog" source="*ListOfallGroupsWithUSers" SamAccountName=admin1 | sort SamAccountName | stats values("Group Name") by "SamAccountName"] [search index="role_log" source="ListOfallGroupsWith_USers*" SamAccountName=admin2 | sort SamAccountName | stats values("Group Name") by "SamAccountName"]

OR this one

index="rolelog" source="*ListOfallGroupsWithUSers*" (SamAccountName=admin1 OR SamAccountName=admin2) | sort SamAccountName | stats values("Group Name") by "SamAccountName"

But this display only groups for each user. in two lines.

But this don't indicate which groups is missing for admin1 or admin2, or also which group is added or not to each user.

0 Karma

Legend

Try this

index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc over "Group Name" by SamAccountName | where NOT (admin1=admin2)

*OR*

index="role_log" source="List_Of_all_Groups_With_USers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc over "Group Name" by SamAccountName | addtotals | where Total=1
0 Karma

Path Finder

Seems there is a statement error as chart dc over is not recognized

  • Error in 'chart' command: The specifier 'dc' is invalid. It must be in form (). For example: max(size).
0 Karma

Path Finder

This works fine:

  • index="rolelog" source="ListOfallGroupsWithUSers" (SamAccountName=admin1 OR SamAccountName=admin2) | chart dc ("Group Name") over "Group Name" by SamAccountName | where NOT (admin1=admin2)
0 Karma