Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare two searches and find a missing values in each search

AlexeySh
Communicator
‎07-09-2019 08:38 AM

Hello,

I try to compare the Active Directory (AD) logs with the antivirus (AV) logs in order to find two things:
- Assets with a (potential) functional problem of antivirus (asset present in AD, but not in AV logs)
- Assets with an AD connection problem (asset present in AV, but not in AD logs)

So I need to find assets missing in both searches and not only the difference between them (that's why I can't use set diffquery), something like that:

The result of initial searches:

AD   AV
A    A
B    B
C    C
D    F
E    G

The result i'd like to have:

miss_in_ad_logs   miss_in_av_logs
       F                 D
       G                 E

I tried to wright a query like in this question, but failed 😞 Could you please help with the search?
Here are the initial searches (almost identical and both are pretty simple):

index=antivirus_index | fields asset_name
| dedup asset_name
| table asset_name

-

index=ad_index | fields src_dns
| dedup src_dns
| table src_dns

Regards,
Alex.

0 Karma
Reply

oscar84x
Contributor
‎07-10-2019 07:51 AM

Could you try the search below?
The table should list both fields, with the field missing a value blank and the index listed should be the index containing the value.

index=antivirus_index 
| fields asset_name index 
| dedup asset_name 
| table asset_name index 
| append 
    [ search index=ad_index 
    | fields src_dns index 
    | dedup src_dns 
    | table src_dns index] 
| table asset_name src_dns index 
| where asset_name!=src_dns
Reply

AlexeySh
Communicator
‎07-11-2019 04:57 AM

Hello oscar84x,

Appreciate your help!

Unfortunately, it doesn't seem to work. Everything works perfectly except for the last line: for some reson it shows "no results found". I tried to replace where by search and search NOT, but with no success 😞

Finally I decided to perform to independent searches and show the results in a dashboard.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...