Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

File Comparision

akankshayadav
Path Finder
‎05-20-2021 09:35 PM

I have a file which is being indexed(say today) and then again indexed after updating(say tomorrow). I have to compare the events of the two versions and display the event(s) which is present in the  new one but not in old or vice versa. Can any help?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 10:29 PM

How is the file indexed? How do the events differ from day to day? How many events per file when indexed? What else can you say about the indexing process?

0 Karma
Reply

akankshayadav
Path Finder
‎05-20-2021 10:50 PM

Files are indexed through inputs.cong . 

Files differs as.. example file1 indexed today has 1event  ZC_01;11;13;30 and when updated and indexed it has 2 events ZC_01;11;13;30
                    ZC_01;11;13;29

i have to display the result as...   ZC_01;11;13;29 this is the newly added data in the updated file1.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 11:22 PM

Do the events from the two different days have different timestamps? Do events from the first indexing also appear in the second indexing (just with different timestamps)?

0 Karma
Reply

akankshayadav
Path Finder
‎05-20-2021 11:26 PM

akankshayadav_0-1621578250200.png

akankshayadav_1-1621578348703.png

 

This image can help you understand the scenario. 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-20-2021 11:40 PM

How about something like this

search 1
| append [search 2]
| eventstats count by _raw
| where count=1
0 Karma
Reply

akankshayadav
Path Finder
‎05-20-2021 11:46 PM

Actually sir, i am a very beginner. Can you  elaborate the query in an clear way. The above one didn't work. What should i write in place of search 1 and 2?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-21-2021 12:03 AM

You might not need two searches if both times the file is indexed they go into the same index

index="compindex"
| eventstats count by _raw
| where count=1

The problem with defining your question with non-specific or fabricated examples is that the answers are often just as vague and it takes longer to resolve, but this is the price we pay for anonymisation 😁

Reply

akankshayadav
Path Finder
‎05-21-2021 12:07 AM

i did this one and got the resutl. thank u sir. and one more help.. how to display it as a table with columns 

source  time(when file was indexed latest)  OnlyThe NewData 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-21-2021 12:16 AM 
index="compindex"
| eventstats count by _raw
| where count=1
| table source _indextime _raw
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...