Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare the results of 2 searches?

ckutach
Engager
‎08-21-2023 11:52 AM

I have splunk logs that are of 2 types, successes and failures. They contain 2 things:

"SUCCESS" "ID: <IDNumber>"

"FAILURE" "ID: <IDNumber>"

 

My goal is to find IDs that are identified with failures that are not also identified with a success. So for the data:

"SUCCESS" "ID: 0000", "FAILURE" "ID: 0000", "SUCCESS" "ID: 1111", "FAILURE" "ID: 2222", "SUCCESS" "ID: 3333", "FAILURE" "ID: 4444"

the result would be the IDs 2222 and 4444

 

My current search is: 

 

index=sampleindex source=samplesource "SUCCESS" | rex field=_raw "ID: (?<id1>+)" | join [search index=sampleindex source=samplesource "FAILURE" | rex field=_raw "ID: (?<id2>+)"] | table id1, id2

 

 I am able to perform each of these searches separately and output the ids, but when I combine them I cannot get the results of either id1 or id2, so I am not able to compare them

 

Does anyone know how I can structure my search to achieve my final goal?

 

Labels (5)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎08-21-2023 05:42 PM

I am assuming that you will have 2 separate events, one for success and one for failure, so in that case, you'll need a slightly different version of @yuanliu SPL

index=sampleindex source=samplesource (SUCCESS OR FAILURE)
| rex field=data "\"(?<status>SUCCESS)\" \"ID:\s*(?<id>\d+)"
| rex field=data "\"(?<status>FAILURE)\" \"ID:\s*(?<id>\d+)"
| stats values(status) as status by id
| where mvcount(status)=1 AND status="FAILURE"

so the stats command combines all status values for the same id and then the where clause filters out only those ids where the status is FAILURE only

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-21-2023 03:37 PM

You can perform a set operation on the two searches as illustrated.  But a far more efficient method is to perform just one search and use mvmap.

index=sampleindex source=samplesource (SUCCESS OR FAILURE)
| rex field=data max_match=0 "\"SUCCESS\" \"ID:\s*(?<success>\d+)"
| rex field=data max_match=0 "\"FAILURE\" \"ID:\s*(?<failure>\d+)"
| eval failed = mvmap(failure, if(failure != success, failure, null()))

(In SPL, equality test of a scalar and a vector iterates over the vector.)  The field failed now contains all the failure IDs that is not found in success.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...