Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Compare two mv fields and audit individual results?

dural_yyz
Builder
‎08-24-2023 06:58 AM

I'm looking specifically at the index for _configtracker to audit changes to serverclass.conf file.  Because the nature of the <filtertype>.n = <value> the behavior is one action to remove all values, then a second action to rewrite all the values in lexi order.  This is making auditing add/removals/static very difficult.

I have managed to transact the events so I can compare old values to new values.  I struggle with how to compare the results to identify changes when values list is very long.

Current Table Output

Unique Ident OldValues NewValues 
<transact-x>
 
A
B
C
D
 
A
C
D
E

 

What I'm looking for

Unique Ident OldValues NewValue Audit
<transact-x> A A NoChange
<transact-x> B   Removed
<transact-x> C C NoChange
<transact-x> D D NoChange
<transact-x>   E Added

 

Assumptions

1) stats values(field): I don't believe any of my samples cross over 10,000 which I believe is default limits for values field

2) values function will lexi order all values regardless of original order in raw data feed

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 07:37 AM

It is a bit convoluted because you need to create additional events to cover all comparisons.

| mvexpand OldValues
| eval Audit=if(isnotnull(mvfind(NewValue,OldValues)),"NoChange","Removed")
| eventstats values(OldValues) as allOldValues by Unique_Ident
| mvexpand NewValue
| eval NewAudit=if(isnotnull(mvfind(allOldValues,NewValue)),null(),"Added")
| eval OldValues=if(NewAudit="Added",null(),OldValues)
| eval NewValue=if(Audit="NoChange" AND isnotnull(OldValues),OldValues,if(Audit="Removed" AND isnotnull(OldValues),null(),NewValue))
| eval Audit=coalesce(NewAudit,Audit)
| fields Unique_Ident OldValues NewValue Audit
| fillnull value="" OldValues NewValue
| dedup Unique_Ident OldValues NewValue Audit

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 07:37 AM

It is a bit convoluted because you need to create additional events to cover all comparisons.

| mvexpand OldValues
| eval Audit=if(isnotnull(mvfind(NewValue,OldValues)),"NoChange","Removed")
| eventstats values(OldValues) as allOldValues by Unique_Ident
| mvexpand NewValue
| eval NewAudit=if(isnotnull(mvfind(allOldValues,NewValue)),null(),"Added")
| eval OldValues=if(NewAudit="Added",null(),OldValues)
| eval NewValue=if(Audit="NoChange" AND isnotnull(OldValues),OldValues,if(Audit="Removed" AND isnotnull(OldValues),null(),NewValue))
| eval Audit=coalesce(NewAudit,Audit)
| fields Unique_Ident OldValues NewValue Audit
| fillnull value="" OldValues NewValue
| dedup Unique_Ident OldValues NewValue Audit
Reply
Solved! Jump to solution

dural_yyz
Builder
‎08-24-2023 08:22 AM

This is exactly what I needed.

My unique_ident was actually a collection of fields.  I just eval'd them together as a big string with a delim character that I can easily separate out post processing.

One issue that I will not worry too much about but if you have a hint would be good.  The values fields are text and can contain an "*" character.  Even if the value exists on both columns it is registering as "Added" and "Removed".  Because of the nuance I can live with it.  However, if I wanted to move this into a dashboard not all users might understand the mechanics.

Example

UniqueOldNew
transact-x*_ABCD_**_ABCD_*

Results

UniqueOldNewAudit
transact-x *_ABCD_*Added
transact-x*_ABCD_* Removed
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 09:22 AM

The * is being treated as a special character by the mvfind which is confusing the mvfind function and giving you false positives / false negatives. You could try replace() to change them to something else, then change them back afterwards?

Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...