All,
I have a list of X hosts and another list of Y hosts. Seems to be Splunk should have an easy way to diff these. Any special commands or tools?
You can very well do this by appending the both the lists and expand the appended list and then do a eventstats by appended list and finally see where the count < 2. Here is a sample search i wrote. Let me know if it works for you.
| makeresults | eval Data="Apple,Banana,Cat,Dog:Apple,Banana,Charlie,Daniel" | eval List1=mvindex(split(Data,":"),0) | eval List2=mvindex(split(Data,":"),1) | fields List1 List2 | makemv List1 Delim="," | makemv List2 Delim="," | eval List=mvappend(List1,List2) | mvexpand List | eventstats count by List | where count<2
The set
command can show the differences between the two lists. It does not, however, tell you in which list the difference was found.
Do you mean lists (as in a CSV/lookup files) or do you mean a pair of queries which return you two different lists of host names?
I can do either one. In this case I am comparing a CSV to a table I generate from logs.
can you try the solution i suggested below ?