Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to compare two searches and find a missing val...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to compare two searches and find a missing values in each search
AlexeySh
Communicator
07-09-2019
08:38 AM
Hello,
I try to compare the Active Directory (AD) logs with the antivirus (AV) logs in order to find two things:
- Assets with a (potential) functional problem of antivirus (asset present in AD, but not in AV logs)
- Assets with an AD connection problem (asset present in AV, but not in AD logs)
So I need to find assets missing in both searches and not only the difference between them (that's why I can't use set diffquery), something like that:
The result of initial searches:
AD AV
A A
B B
C C
D F
E G
The result i'd like to have:
miss_in_ad_logs miss_in_av_logs
F D
G E
I tried to wright a query like in this question, but failed 😞 Could you please help with the search?
Here are the initial searches (almost identical and both are pretty simple):
index=antivirus_index | fields asset_name
| dedup asset_name
| table asset_name
-
index=ad_index | fields src_dns
| dedup src_dns
| table src_dns
Regards,
Alex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
07-15-2019
01:09 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oscar84x
Contributor
07-10-2019
07:51 AM
Could you try the search below?
The table should list both fields, with the field missing a value blank and the index listed should be the index containing the value.
index=antivirus_index
| fields asset_name index
| dedup asset_name
| table asset_name index
| append
[ search index=ad_index
| fields src_dns index
| dedup src_dns
| table src_dns index]
| table asset_name src_dns index
| where asset_name!=src_dns
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AlexeySh
Communicator
07-11-2019
04:57 AM
Hello oscar84x,
Appreciate your help!
Unfortunately, it doesn't seem to work. Everything works perfectly except for the last line: for some reson it shows "no results found". I tried to replace where by search and search NOT, but with no success 😞
Finally I decided to perform to independent searches and show the results in a dashboard.
Get Updates on the Splunk Community!
Now Playing: Splunk Education Summer Learning Premieres
It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
The Visibility Gap: Hybrid Networks and IT Services
The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
