Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Compare Values Based on Multiple Field Matches

rdhdr
Explorer
‎09-24-2024 07:29 AM

Hello, I have the following dataset. It consists of configuration parameters from multiple systems. Each system has somewhere in the neighborhood of 3000-5000 parameters, some of which will not exist in all systems. I am trying to come up with a list of unique combinations of parameters with an Matching flag which shows whether the value is identical between both systems. It should indicate a false flag if the parameter exists in either system, but not the other, or if the parameter exists in both systems but with different values.

The parameters are identified by a unique combination of SERVICE_NAME, FILE_NAME, SECTION and KEY (all four are required to be the same). And the system is identified by SID. The data look like this:

SIDSERVICE_NAMEFILE_NAMESECTIONKEYVALUE
AAAindexglobal.iniglobaltimezone_dataset123
AAAdpserverindex.inipassword policyminimal_password_length16
AAAindexindex.iniflexible_tablereclaim_interval3600
AAAdpserverglobal.iniabstract_sql_planmax_count1000000
BBBdpserverindex.inipassword policyminimal_password_length16
BBBindexindex.inipassword policyminimal_password_length25
BBBdpserverglobal.iniabstract_sql_planmax_count1000000
BBBindexindex.inimergedogcheck_interval60000

 

The data is in a dashboard, along with drop-downs to select two systems to be compared. One a user selects system AAA and system BBB, I would like the result to show:

SERVICE_NAMEFILE_NAMESECTIONKEYMatch
indexglobal.iniglobaltimezone_datasetNo
dpserverindex.inipassword policyminimal_password_lengthYes
indexindex.iniflexible_tablereclaim_intervalNo
dpserverglobal.iniabstract_sql_planmax_countYes
indexindex.inipassword policyminimal_password_lengthNo
indexindex.inimergedogcheck_intervalNo

 

I have tried many different SPL searches, but none have provided the intended result.

I would greatly appreciate any assistance or guidance.

Cheers,

David

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2024 07:42 AM 
| stats values(SID) as SID values(VALUE) as VALUE by SERVICE_NAME FILE_NAME SECTION KEY
| eval match=if(mvcount(SID) = 2 AND mvcount(VALUE) = 1,"Yes", "No")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rdhdr
Explorer
‎09-24-2024 08:09 AM

Wow, that was a lot simpler than the solutions I was trying to get working. Thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2024 07:42 AM 
| stats values(SID) as SID values(VALUE) as VALUE by SERVICE_NAME FILE_NAME SECTION KEY
| eval match=if(mvcount(SID) = 2 AND mvcount(VALUE) = 1,"Yes", "No")
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...