Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Difference in columns as output of 2 different searches

atulitm
Path Finder
‎05-15-2020 03:07 AM

Hello ,
I have data from 2 diff source with same fields as shown below :

index= sourcetype= source= test.txt
device_name="alpha" pool_name="a"
device_name="beta" pool_name="b"
device_name="gamma" pool_name="c"

index= sourcetype= source=test1.txt
device_name="alpha" pool_name="a"
device_name="beta" pool_name="b"
device_name="gamma" pool_name="z"

eval actual_pools = toString(device_name) + ";" + toString(pool_name)

I am looking for field actual_pools using raw data which i created above which exist in source=test1.txt but not in source=test.txt
Thanks

Tags (3)
0 Karma
Reply

ololdach
Builder
‎05-15-2020 03:44 AM

Hi,

start with an empty search. First, we have to recreate your data:
| makeresults | eval device_name="alpha,beta,gamma" | makemv delim="," device_name |mvexpand device_name | eval pool_name=if(device_name="gamma","c",substr(device_name,1,1))
Then we add a field that holds the source of the pool_name:
| eval pool_source="text1"
Next you append the events from the second query and give it a different pool_source as the last command in the subquery:
| append [| makeresults | eval device_name="alpha,beta,gamma" | makemv delim="," device_name |mvexpand device_name | eval pool_name=if(device_name="gamma","z",substr(device_name,1,1)) | eval pool_source="text2"]
Now you can use transaction to combine the results:
| transaction pool_name,device_name``

In the end it looks like this:
alt text

Preview file
249 KB
0 Karma
Reply

atulitm
Path Finder
‎05-15-2020 04:17 AM

It doesn't work may be because sorry I think i didn't put question in Splunk language there are not files but source of date , changed details below as per splunk names :

I have data from 2 diff source with same fields as shown below :

index=* sourcetype=* source= test.txt
device_name="alpha" pool_name="a"
device_name="beta" pool_name="b"
device_name="gamma" pool_name="c"

index=* sourcetype=* source=test1.txt
device_name="alpha" pool_name="a"
device_name="beta" pool_name="b"
device_name="gamma" pool_name="z"

eval actual_pools = toString(device_name) + ";" + toString(pool_name)

I am looking for field actual_pools using raw data which i created above which exist in source=test1.txt but not in source=test.txt . Thanks for help .

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...