Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare columns in a row

ewanbrown
Path Finder
‎03-23-2016 11:46 AM

Hi

I have a query that produces some output like this:

ID server_a.1  server_a.2        server_b.1           server_b.2
1  0                   0            1                       0
2  1                   0            1                       1
3  1                   1            0                       0

I'd like to be able to add to it to tell me the number of ID's which are present in server_a*, but not in server_b* and visa versa. I think I can do it by making this an inner query, however I need to do it across millions of records, so that is not an option

Any help is appreciated!

Thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-24-2016 07:28 AM

Append this to your search:

... | foreach server_a* [eval A = A + <<FIELD>>] | foreach server_b* [eval B = B + <<FIELD>>] | multireport | [stats dc(ID) AS dcIDbyA values(ID) AS valuesIDbyA BY A] [stats dc(ID) as dcIDbyB values(ID) AS valuesIDbyB BY B]
0 Karma
Reply

somesoni2
Revered Legend
‎03-23-2016 01:40 PM

If the name of servers are fixed/static, then something like this could work

your current search giving above output | addtotals server_a* fieldname=present_in_server_a | addtotals server_b* fieldname=present_in_server_b | eval status=case(present_in_server_a =0 AND present_in_server_b>0 ,"Present in server_b* only", present_in_server_a >0 AND present_in_server_b=0,"Present in server_a* only",1=1,"Present in both")

This will add a field status to specify which ID is present in which servers. You can further chart the count if you need

above search | stats count by status
Reply

ewanbrown
Path Finder
‎03-24-2016 03:30 AM

Perfect, thanks

0 Karma
Reply

lguinn2
Legend
‎03-23-2016 01:22 PM

It would be helpful to see the search that produced this.
I have a feeling that this table was produced by a chart command - but by using a stats command then xyseries, I think you can easily get what you want.

0 Karma
Reply

ewanbrown
Path Finder
‎03-24-2016 03:40 AM

Hi,

I've the answer now, but the source query was:

index=beacons| spath | eval       temp=mvzip(mvzip(mvzip('bean.data.matches{}.clusterId','bean.data.matches{}.facility'),'bean.data.matches{}.matchStatus'), 'bean.data.matches{}.cluster') | mvexpand temp | eval x = split(temp,",") | eval clusterId=mvindex(x,0) | eval facility=mvindex(x,1) | eval match_status=mvindex(x,2) | eval cluster=mvindex(x,3) | search cluster=1 OR cluster=2 OR cluster=3 |  chart count by clusterId, facility
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...