Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare two results every week and display the differences from one index?

btluynk
Loves-to-Learn Lots
‎01-05-2023 12:35 AM

Hi team,

I want to compare two results every week and display the differences from one index. And I want create Jira ticket if the results are different.

Thanks

Labels (5)
Labels
0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-05-2023 12:58 AM

Hi @gcusello ,

Thanks for your response, for example;

index=windows_server source=AD_Enabled_Server |dedup hostname|eval checker=0 |join type=outer hostname [search index=logsource source="/root/xxx/aaa.txt" |eval checker=1]|table hostname,checker|search checker=0

Every week this search runs and I get the results. But if the result is different, I want to create a structure like open a ticket.

Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2023 01:12 AM

Hi @btluynk,

always remember that Splunk isn't a database and the join command must be used only when you haven't any other solution because it's a very slow and resource consuming command.

Let me understand: you want to find the hostname in windows and in logsource, but if you use the condition checker=0, you always have results, what do you want really find: the list of hostanems every week?

Anyway, your original search can be done using stats in this way:

(index=windows_server source=AD_Enabled_Server) OR (index=logsource source="/root/xxx/aaa.txt")
| stats dc(index) AS index_count values(index) AS index BY hostname
| where index_count=1 AND index=windows

 If instead you want to find the hostname in windows that are also in logsource, you can use :

index=windows_server source=AD_Enabled_Server [ search index=logsource source="/root/xxx/aaa.txt") | fields hostname ]

this search has only the limit of 50,000 results in the subsearch.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-05-2023 12:46 AM

Hi @btluynk,

if you already created the search, please share it, otherwise, please share the sample data highlighting  the fields to compare.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...