I try to compare the Active Directory (AD) logs with the antivirus (AV) logs in order to find two things:
- Assets with a (potential) functional problem of antivirus (asset present in AD, but not in AV logs)
- Assets with an AD connection problem (asset present in AV, but not in AD logs)
So I need to find assets missing in both searches and not only the difference between them (that's why I can't use
set diffquery), something like that:
The result of initial searches:
AD AV A A B B C C D F E G
The result i'd like to have:
miss_in_ad_logs miss_in_av_logs F D G E
I tried to wright a query like in this question, but failed 😞 Could you please help with the search?
Here are the initial searches (almost identical and both are pretty simple):
index=antivirus_index | fields asset_name | dedup asset_name | table asset_name
index=ad_index | fields src_dns | dedup src_dns | table src_dns
Could you try the search below?
The table should list both fields, with the field missing a value blank and the index listed should be the index containing the value.
index=antivirus_index | fields asset_name index | dedup asset_name | table asset_name index | append [ search index=ad_index | fields src_dns index | dedup src_dns | table src_dns index] | table asset_name src_dns index | where asset_name!=src_dns
Appreciate your help!
Unfortunately, it doesn't seem to work. Everything works perfectly except for the last line: for some reson it shows "no results found". I tried to replace
search NOT, but with no success 😞
Finally I decided to perform to independent searches and show the results in a dashboard.