Hi Team.
I have a big ol search that tables a bunch of resource usage data. Now i smack and outputcsv on that badboy, and schedule it to run once a month.
Before it runs next month i would like to run the search again , drag in the old search with inputcsv and then compare the two, and maybe only list the changes (And maybe how much it changes?)
(index="redacted" OR index="redacted2") EventCode=1011 | rex field=Message "\W(?<ServerName>\S+)\s\w+\W(?<PowerState>\S+)\s\w+\W(?<CpuCount>\S+)\s\w+\W(?<CoresPerSocket>\S+)\s\w+\W(?<GuestHostName>\S+)(:)(?<GuestOS>.+)(MemoryMB)\W(?<MemoryMB>\S+)\s\w+\W(?<ResourcePool>.+)(Version)\W(?<Version>\w+)\s\w+\W(?<UsedSpaceGB>\S+)\s\w+\W(?<ProvisionedSpaceGB>\S+)\s\w+\W(?<VMHost>\S+)\s\w+\W(?<Folder>.+)" | eval UsedSpaceGB = round(UsedSpaceGB,2) | eval ProvisionedSpaceGB = round(ProvisionedSpaceGB,2) | search VMHost="***" | table ServerName PowerState CpuCount CoresPerSocket GuestHostName GuestOS MemoryMB ResourcePool Version UsedSpaceGB ProvisionedSpaceGB VMHost Folder | dedup ServerName | search ServerName="*" | search VMHost="*" PowerState="*" ResourcePool="redacted "| outputcsv redacted_filename.csv
New search: inputcsv redacted_filename.csv lists the old search just fine, except it sorted the tablenames alphabetically, but whatever.
Is there an easy way to compare the two, or will i have to extract all fields and compare manually?
Anybody with an idea for a quicker way to do it?
You could use stats values(*) as * by key field and then look for mvcount()s greater than 1
Hey ITWhisperer, thanks for replying.
Think you could spell it out for me? 😐
Try something like this
your search (without outputlookup)
| inputlookup redacted_filename.csv
| stats values(*) as * by ServerName
| foreach *
[| eval different=if(mvcount(<<FIELD>>) > 1, "true", null())]
| where different="true"