Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

File Comparision

akankshayadav
Path Finder
‎05-20-2021 09:35 PM

I have a file which is being indexed(say today) and then again indexed after updating(say tomorrow). I have to compare the events of the two versions and display the event(s) which is present in the  new one but not in old or vice versa. Can any help?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 10:29 PM

How is the file indexed? How do the events differ from day to day? How many events per file when indexed? What else can you say about the indexing process?

0 Karma
Reply

akankshayadav
Path Finder
‎05-20-2021 10:50 PM

Files are indexed through inputs.cong . 

Files differs as.. example file1 indexed today has 1event  ZC_01;11;13;30 and when updated and indexed it has 2 events ZC_01;11;13;30
                    ZC_01;11;13;29

i have to display the result as...   ZC_01;11;13;29 this is the newly added data in the updated file1.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 11:22 PM

Do the events from the two different days have different timestamps? Do events from the first indexing also appear in the second indexing (just with different timestamps)?

0 Karma
Reply

akankshayadav
Path Finder
‎05-20-2021 11:26 PM

akankshayadav_0-1621578250200.png

akankshayadav_1-1621578348703.png

 

This image can help you understand the scenario. 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 11:40 PM

How about something like this

search 1
| append [search 2]
| eventstats count by _raw
| where count=1
0 Karma
Reply

akankshayadav
Path Finder
‎05-20-2021 11:46 PM

Actually sir, i am a very beginner. Can you  elaborate the query in an clear way. The above one didn't work. What should i write in place of search 1 and 2?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-21-2021 12:03 AM

You might not need two searches if both times the file is indexed they go into the same index

index="compindex"
| eventstats count by _raw
| where count=1

The problem with defining your question with non-specific or fabricated examples is that the answers are often just as vague and it takes longer to resolve, but this is the price we pay for anonymisation 😁

Reply

akankshayadav
Path Finder
‎05-21-2021 12:07 AM

i did this one and got the resutl. thank u sir. and one more help.. how to display it as a table with columns 

source  time(when file was indexed latest)  OnlyThe NewData 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-21-2021 12:16 AM 
index="compindex"
| eventstats count by _raw
| where count=1
| table source _indextime _raw
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...