Splunk Search

How to Compare Values Based on Multiple Field Matches

rdhdr
Explorer

Hello, I have the following dataset. It consists of configuration parameters from multiple systems. Each system has somewhere in the neighborhood of 3000-5000 parameters, some of which will not exist in all systems. I am trying to come up with a list of unique combinations of parameters with an Matching flag which shows whether the value is identical between both systems. It should indicate a false flag if the parameter exists in either system, but not the other, or if the parameter exists in both systems but with different values.

The parameters are identified by a unique combination of SERVICE_NAME, FILE_NAME, SECTION and KEY (all four are required to be the same). And the system is identified by SID. The data look like this:

SIDSERVICE_NAMEFILE_NAMESECTIONKEYVALUE
AAAindexglobal.iniglobaltimezone_dataset123
AAAdpserverindex.inipassword policyminimal_password_length16
AAAindexindex.iniflexible_tablereclaim_interval3600
AAAdpserverglobal.iniabstract_sql_planmax_count1000000
BBBdpserverindex.inipassword policyminimal_password_length16
BBBindexindex.inipassword policyminimal_password_length25
BBBdpserverglobal.iniabstract_sql_planmax_count1000000
BBBindexindex.inimergedogcheck_interval60000

 

The data is in a dashboard, along with drop-downs to select two systems to be compared. One a user selects system AAA and system BBB, I would like the result to show:

SERVICE_NAMEFILE_NAMESECTIONKEYMatch
indexglobal.iniglobaltimezone_datasetNo
dpserverindex.inipassword policyminimal_password_lengthYes
indexindex.iniflexible_tablereclaim_intervalNo
dpserverglobal.iniabstract_sql_planmax_countYes
indexindex.inipassword policyminimal_password_lengthNo
indexindex.inimergedogcheck_intervalNo

 

I have tried many different SPL searches, but none have provided the intended result.

I would greatly appreciate any assistance or guidance.

Cheers,

David

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| stats values(SID) as SID values(VALUE) as VALUE by SERVICE_NAME FILE_NAME SECTION KEY
| eval match=if(mvcount(SID) = 2 AND mvcount(VALUE) = 1,"Yes", "No")

View solution in original post

0 Karma

rdhdr
Explorer

Wow, that was a lot simpler than the solutions I was trying to get working. Thank you!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| stats values(SID) as SID values(VALUE) as VALUE by SERVICE_NAME FILE_NAME SECTION KEY
| eval match=if(mvcount(SID) = 2 AND mvcount(VALUE) = 1,"Yes", "No")
0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...