How to compare two searches to find values in one ...

zachsisinst · ‎03-11-2020

I have two datasets in separate indexes that I would like to compare. i.e.

dataset from `search1`:

item1
item2
item3

dataset from `search2`:

item1
item2
item3
item4
item5

I would like to produce a table that gives me a table of items that exist in search2 and not in search1. i.e.

itemfield       searchname`
-------------------------------------
item4            search2
item5            search2

How would I do this?

anmolpatel · ‎03-11-2020

Something like this:

| makeresults 
| eval _raw = "list
         item1
         item2
         item3" 
| multikv forceheader=1 
| eval inList1 = "Y" 
| appendcols 
    [| makeresults 
    | eval _raw = "list
    item1
    item2
    item3
    item4
    item5" 
    | multikv forceheader=1 
    | table list] 
| eval inList2 = if(inList1 = "Y", "N", "Y") 
| where inList2 = "Y" 
| table list

How to compare two searches to find values in one search and not the other

dataset from `search1`:

dataset from `search2`:

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

How to compare two searches to find values in one search and not the other

dataset from search1:

dataset from search2:

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

dataset from `search1`:

dataset from `search2`: