Splunk Search

How to compare two searches to find values in one search and not the other

New Member

I have two datasets in separate indexes that I would like to compare. i.e.

dataset from search1:

item1
item2
item3

dataset from search2:

item1
item2
item3
item4
item5

I would like to produce a table that gives me a table of items that exist in search2 and not in search1. i.e.

itemfield       searchname`
-------------------------------------
item4            search2
item5            search2

How would I do this?

0 Karma

Builder

Something like this:

| makeresults 
| eval _raw = "list
         item1
         item2
         item3" 
| multikv forceheader=1 
| eval inList1 = "Y" 
| appendcols 
    [| makeresults 
    | eval _raw = "list
    item1
    item2
    item3
    item4
    item5" 
    | multikv forceheader=1 
    | table list] 
| eval inList2 = if(inList1 = "Y", "N", "Y") 
| where inList2 = "Y" 
| table list
0 Karma