Splunk Search

How to compare values from two fields from different sources but only keep an uncommon value?

New Member

Hi community,

I have a combined search which includes two sourcetypes. Both include a field with a username. Let's say it looks like this:

Sourcetype1 Field1:

User1
User2

Sourcetype2 Field2:

User1
User2
User3

I need the values that are present in Field2, and are not in Field1. The other way around is not of interest, so a simple count and looking at <2 is not an option. So, my search needs to reflect that User3 is a value of an event in Field2, but not a value of an event in Field1.

How do I do that within my search?

The search itself:

| ldapsearch search=(&(objectClass=group)(cn=*OMITTED*)) attrs="member"
| mvexpand member | xmlkv| eval member= substr(member, 4,6)|rename member AS Field1|  append [search sourcetype="*OMITTED2*" source="*OMITTED3*" *OMITTED4*=*OMITTED5*| rename *OMITTED6* AS Field2] 

With many thanks!

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

Try this. It will show event in the subsearch that are not in the main search.

| ldapsearch search=(&(objectClass=group)(cn=OMITTED)) attrs="member"
| mvexpand member | xmlkv| eval member= substr(member, 4,6)|rename member AS Field1| join type=inner Field1 [search sourcetype="OMITTED2" source="OMITTED3" OMITTED4=OMITTED5| rename OMITTED6 AS Field1]
---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

It gives back 0 results. If I place:

join type=inner SOME_BOGUS_FIELD

instead of

join type=inner Field1

It gives results. But way less values for Field2 than I would expect. So something is not working correctly. Maybe that has to do with the ldapsearch module. I tried converting Field1 to string using:

eval Field1=tostring(Field1)

but that did not help.

Do you have any idea how to proceed?

0 Karma

SplunkTrust
SplunkTrust

Perhaps I renamed the wrong OMITTED field to Field1. Modify the query so Field1 is the same in both the main search and the subsearch.

---
If this reply helps you, an upvote would be appreciated.
0 Karma