Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare two searches and find a missing values in each search

AlexeySh
Communicator
‎07-09-2019 08:38 AM

Hello,

I try to compare the Active Directory (AD) logs with the antivirus (AV) logs in order to find two things:
- Assets with a (potential) functional problem of antivirus (asset present in AD, but not in AV logs)
- Assets with an AD connection problem (asset present in AV, but not in AD logs)

So I need to find assets missing in both searches and not only the difference between them (that's why I can't use set diffquery), something like that:

The result of initial searches:

AD   AV
A    A
B    B
C    C
D    F
E    G

The result i'd like to have:

miss_in_ad_logs   miss_in_av_logs
       F                 D
       G                 E

I tried to wright a query like in this question, but failed 😞 Could you please help with the search?
Here are the initial searches (almost identical and both are pretty simple):

index=antivirus_index | fields asset_name
| dedup asset_name
| table asset_name

-

index=ad_index | fields src_dns
| dedup src_dns
| table src_dns

Regards,
Alex.

0 Karma
Reply

oscar84x
Contributor
‎07-10-2019 07:51 AM

Could you try the search below?
The table should list both fields, with the field missing a value blank and the index listed should be the index containing the value.

index=antivirus_index 
| fields asset_name index 
| dedup asset_name 
| table asset_name index 
| append 
    [ search index=ad_index 
    | fields src_dns index 
    | dedup src_dns 
    | table src_dns index] 
| table asset_name src_dns index 
| where asset_name!=src_dns
Reply

AlexeySh
Communicator
‎07-11-2019 04:57 AM

Hello oscar84x,

Appreciate your help!

Unfortunately, it doesn't seem to work. Everything works perfectly except for the last line: for some reson it shows "no results found". I tried to replace where by search and search NOT, but with no success 😞

Finally I decided to perform to independent searches and show the results in a dashboard.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...