Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to efficiently show the difference between two fields from different sources

nathg123
Loves-to-Learn Lots
‎07-01-2021 10:44 PM

Hey All,

Here is my search

index=main event_simpleName=NeighborListIP4 OR event_simpleName=SensorHeartbeat
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC4>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC5>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC4>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC5>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC6>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| eval Combiner = mvappend('MAC1', 'MAC2', 'MAC3', 'MAC4', 'MAC5', 'MAC6')
| mvexpand Combiner
| dedup Combiner
| table Combiner

I want to show what is in the Combiner field but not present within the MAC field only inside event_simpleName=SensorHeartbeat MAC=*

However both event_simpleName=NeighborListIP4 and event_simpleName=SensorHeartbeat contain the field name MAC.

Not sure what is the most efficient way of doing this is, I was attempting to use diff command however no luck.

Any help would be much appreciated!

Thanks

Labels (2)
Labels
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-01-2021 11:05 PM

@nathg123 

Can you please share some events and the expectations from that samples?

KV

0 Karma
Reply

nathg123
Loves-to-Learn Lots
‎07-01-2021 11:24 PM

@kamlesh_vaghela 
I have the field "Combiner" within event_simpleName=NeighborListIP4
I have the field "MAC" within event_simpleName=SensorHeartbeat

Both fields contains MAC address's, I want to output what's in Combiner but not in MAC.

However event_simpleName=NeighborListIP4 also has the field MAC, which I want to completely disregard.

Sorry its difficult to explain, I hope this clears it up!

event_simpleName=NeighborListIP4 Combinerevent_simpleName=SensorHeartbeat
MAC		 
14Give me value of Combiner
44Don't give me the value
57Give me value of Combiner
 
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-01-2021 11:56 PM

@nathg123 

Yes it's difficult.  let me share what I've tried. I'm not what search you design in earlier post. But can you please try this?

index=main event_simpleName=NeighborListIP4 OR event_simpleName=SensorHeartbeat 
| eval MAC=if(event_simpleName=NeighborListIP4,null(),MAC)
| eventstats values(MAC) as Macs
| eval flg=mvfind(Macs,Combiner)
| where isnull(flg)
| dedup  Combiner
| table Combiner

 

My Sample Search :

| makeresults | eval raw="event_simpleName=NeighborListIP4&Combiner=1,4,5|event_simpleName=SensorHeartbeat&MAC=4,4,7",raw=split(raw,"|")| mvexpand raw | rename raw as _raw
| extract kvdelim="=" pairdelim="&" | eval Combiner=split(Combiner,","),MAC=split(MAC,",") | mvexpand Combiner | mvexpand MAC
| rename comment as "Up to now is data only"
| eval MAC=if(event_simpleName=NeighborListIP4,null(),MAC)
| eventstats values(MAC) as Macs
| eval flg=mvfind(Macs,Combiner)
| where isnull(flg)
| dedup  Combiner
| table Combiner

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...