Re: Diff of 2 searches

Pete_Bassill · ‎04-14-2010

How would I go about running a search that compares the output to two searches and reports the difference between the two outputs?

To expand on this a little:

Search 1:

tag=pci source=/var/log/messages | top host limit=0 | fields host

Search 2:

tag=pci source=/var/log/messages Aide | top host limit=0 | fields hosts

I want to report on hosts that are in Search 1 but not in Search 2.

How would I do this?

Stephen_Sorkin · ‎08-31-2010

gkanapathy's first search will work, but his seconds will not (as you have to look at the "Aide" messages to know which hosts to exclude).

You can also use stats to solve this:

tag=pci source=/var/log/messages | eval has_Aide = if(searchmatch("Aide"), 1, 0) | stats values(has_Aide) as has_Aide by host | search has_Aide=0 AND has_Aide!=1

gkanapathy · ‎04-14-2010

You can in general use a subsearch:

tag=pci source=/var/log/messages NOT [ search tag=pci source=/var/log/message Aide | top host limit=0 | fields host ] | top host limit=0 | fields host

but really in the case of your specific search you may be able to simply do:

tag=pci source=/var/log/messages NOT Aide | top host limit=0 | fields host

In other cases, you can also consider the |set diff command

Lowell · ‎04-26-2010

Just a quick word about set diff option. Don't forget to remove the hidden fields in your subsearch. In your example, instead of just using | fields host, you would have to use | fields + host | fields - _time _raw Otherwise, set will attempt to compare your hidden fields which generally will not work out.

Diff of 2 searches

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All