Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you compare values between two fields from two separate indexes?

gbwilson
Path Finder
‎09-25-2018 12:23 PM

I'm trying to compare values between two fields from two separate indexes. I only want values returned where there is not a match to a value in the Ecom index.

I might have a table like this in the Ecom index:
small-service1
small-service2
small-service3

In my cms_application index I might have values like this:
small-service1
small-service2

I want to see small-service3 as the value returned since it IS in the Ecom index but NOT in the cms_application index. Can someone help me out? I'm only getting results that say NO MATCH and the entire column for ApplicationService is coming back blank. Thanks in advance.

(index=ecom* earliest="-60m@m" sourcetype=healthchecks)  OR (index=cms_application earliest="1" latest="now") 
 | rex mode=sed field=host "s/.us.company.com//g" | lookup hostsip hostname as host | search application=*api* | dedup microservice | fields microservice
 | streamstats count by microservice, ApplicationService
 | stats values(microservice) AS microservice, values(ApplicationService) AS ApplicationService
 | mvexpand microservice 
 | eval Status = if(match(microservice,ApplicationService), "MATCH", "NO MATCH") 
 | table microservice, ApplicationService, Status
 | where Status="NO MATCH"
0 Karma
Reply

woodcock
Esteemed Legend
‎09-25-2018 12:53 PM

Try this:

(index=ecom* earliest="-60m@m" sourcetype=healthchecks) OR (index=cms_application earliest="1" latest="now")
| rex mode=sed field=host "s/.us.company.com//g"
| lookup hostsip hostname as host
| search application=*api*
| eval microservice=coalesce(microservice, ApplicationService)
| stats values(index) AS index dc(index) AS indexCount BY microservice
| search indexCount=1 AND NOT index="Ecom"
0 Karma
Reply

harishalipaka
Motivator
‎09-25-2018 12:32 PM

You can use match or ==

Thanks
Harish
0 Karma
Reply

somesoni2
Revered Legend
‎09-25-2018 12:30 PM

Give this a try

(index=ecom* earliest="-60m@m" sourcetype=healthchecks) OR (index=cms_application earliest="1" latest="now") | rex mode=sed field=host "s/.us.company.com//g" | lookup hostsip hostname as host | search application=*api* 
| stats values(index) as indexes by microservice ApplicationService
| eval Status = case(mvcount(indexes)=2, "MATCH", like(indexes,"ecom%"),"NO MATCH", true(),"Service in CMS but not in ECOM") | table microservice, ApplicationService, Status | where Status="NO MATCH"
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...