Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

File Comparision

akankshayadav
Path Finder
‎05-20-2021 09:35 PM

I have a file which is being indexed(say today) and then again indexed after updating(say tomorrow). I have to compare the events of the two versions and display the event(s) which is present in the  new one but not in old or vice versa. Can any help?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 10:29 PM

How is the file indexed? How do the events differ from day to day? How many events per file when indexed? What else can you say about the indexing process?

0 Karma
Reply

akankshayadav
Path Finder
‎05-20-2021 10:50 PM

Files are indexed through inputs.cong . 

Files differs as.. example file1 indexed today has 1event  ZC_01;11;13;30 and when updated and indexed it has 2 events ZC_01;11;13;30
                    ZC_01;11;13;29

i have to display the result as...   ZC_01;11;13;29 this is the newly added data in the updated file1.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 11:22 PM

Do the events from the two different days have different timestamps? Do events from the first indexing also appear in the second indexing (just with different timestamps)?

0 Karma
Reply

akankshayadav
Path Finder
‎05-20-2021 11:26 PM

akankshayadav_0-1621578250200.png

akankshayadav_1-1621578348703.png

 

This image can help you understand the scenario. 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 11:40 PM

How about something like this

search 1
| append [search 2]
| eventstats count by _raw
| where count=1
0 Karma
Reply

akankshayadav
Path Finder
‎05-20-2021 11:46 PM

Actually sir, i am a very beginner. Can you  elaborate the query in an clear way. The above one didn't work. What should i write in place of search 1 and 2?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-21-2021 12:03 AM

You might not need two searches if both times the file is indexed they go into the same index

index="compindex"
| eventstats count by _raw
| where count=1

The problem with defining your question with non-specific or fabricated examples is that the answers are often just as vague and it takes longer to resolve, but this is the price we pay for anonymisation 😁

Reply

akankshayadav
Path Finder
‎05-21-2021 12:07 AM

i did this one and got the resutl. thank u sir. and one more help.. how to display it as a table with columns 

source  time(when file was indexed latest)  OnlyThe NewData 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-21-2021 12:16 AM 
index="compindex"
| eventstats count by _raw
| where count=1
| table source _indextime _raw
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...