- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to compare two searches and find a missing val...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to compare two searches and find a missing values in each search
Hello,
I try to compare the Active Directory (AD) logs with the antivirus (AV) logs in order to find two things:
- Assets with a (potential) functional problem of antivirus (asset present in AD, but not in AV logs)
- Assets with an AD connection problem (asset present in AV, but not in AD logs)
So I need to find assets missing in both searches and not only the difference between them (that's why I can't use set diffquery), something like that:
The result of initial searches:
AD AV
A A
B B
C C
D F
E G
The result i'd like to have:
miss_in_ad_logs miss_in_av_logs
F D
G E
I tried to wright a query like in this question, but failed 😞 Could you please help with the search?
Here are the initial searches (almost identical and both are pretty simple):
index=antivirus_index | fields asset_name
| dedup asset_name
| table asset_name
-
index=ad_index | fields src_dns
| dedup src_dns
| table src_dns
Regards,
Alex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you try the search below?
The table should list both fields, with the field missing a value blank and the index listed should be the index containing the value.
index=antivirus_index
| fields asset_name index
| dedup asset_name
| table asset_name index
| append
[ search index=ad_index
| fields src_dns index
| dedup src_dns
| table src_dns index]
| table asset_name src_dns index
| where asset_name!=src_dns
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello oscar84x,
Appreciate your help!
Unfortunately, it doesn't seem to work. Everything works perfectly except for the last line: for some reson it shows "no results found". I tried to replace where by search and search NOT, but with no success 😞
Finally I decided to perform to independent searches and show the results in a dashboard.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
