How would I go about running a search that compares the output to two searches and reports the difference between the two outputs?
To expand on this a little:
Search 1:
tag=pci source=/var/log/messages | top host limit=0 | fields host
Search 2:
tag=pci source=/var/log/messages Aide | top host limit=0 | fields hosts
I want to report on hosts that are in Search 1 but not in Search 2.
How would I do this?
gkanapathy's first search will work, but his seconds will not (as you have to look at the "Aide" messages to know which hosts to exclude).
You can also use stats
to solve this:
tag=pci source=/var/log/messages | eval has_Aide = if(searchmatch("Aide"), 1, 0) | stats values(has_Aide) as has_Aide by host | search has_Aide=0 AND has_Aide!=1
You can in general use a subsearch:
tag=pci source=/var/log/messages NOT [ search tag=pci source=/var/log/message Aide | top host limit=0 | fields host ] | top host limit=0 | fields host
but really in the case of your specific search you may be able to simply do:
tag=pci source=/var/log/messages NOT Aide | top host limit=0 | fields host
In other cases, you can also consider the |set diff
command
Just a quick word about set diff
option. Don't forget to remove the hidden fields in your subsearch. In your example, instead of just using | fields host
, you would have to use | fields + host | fields - _time _raw
Otherwise, set
will attempt to compare your hidden fields which generally will not work out.