Splunk Search

How to compare values in col1 to col2, and return all values existing in col1, but also NOT in col 2?

michael_wong
Path Finder

Here is my situation. I can use subsearch to get two column data, just like below.

Data row is not aligned, so I can't simply use eval if to compare. Some of the value is identical, but some is not. I want to output the value existing in col1, but not exist in col 2

column1 column 2

AA            BB

CC           AA

DD           FF

EE            ZZ

FF            XX

VV          MM

Labels (2)
0 Karma
1 Solution

michael_wong
Path Finder

I've solved it out.

First add a "+" to each column to mark that value is existing in col1 OR col2

And then I can combine the lines using command stats first(*) as * by host.

search 1 | | eval col1="+" | append [ search2 | col2 ="+"]
| stats first(*) as * by HOST
| where isnotnull(col1) AND isnull(col2 )

View solution in original post

0 Karma

michael_wong
Path Finder

I've solved it out.

First add a "+" to each column to mark that value is existing in col1 OR col2

And then I can combine the lines using command stats first(*) as * by host.

search 1 | | eval col1="+" | append [ search2 | col2 ="+"]
| stats first(*) as * by HOST
| where isnotnull(col1) AND isnull(col2 )

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...