Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to efficiently show the difference between two fields from different sources

nathg123
Loves-to-Learn Lots
‎07-01-2021 10:44 PM

Hey All,

Here is my search

index=main event_simpleName=NeighborListIP4 OR event_simpleName=SensorHeartbeat
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC4>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC5>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC4>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC5>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC6>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| eval Combiner = mvappend('MAC1', 'MAC2', 'MAC3', 'MAC4', 'MAC5', 'MAC6')
| mvexpand Combiner
| dedup Combiner
| table Combiner

I want to show what is in the Combiner field but not present within the MAC field only inside event_simpleName=SensorHeartbeat MAC=*

However both event_simpleName=NeighborListIP4 and event_simpleName=SensorHeartbeat contain the field name MAC.

Not sure what is the most efficient way of doing this is, I was attempting to use diff command however no luck.

Any help would be much appreciated!

Thanks

Labels (2)
Labels
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-01-2021 11:05 PM

@nathg123 

Can you please share some events and the expectations from that samples?

KV

0 Karma
Reply

nathg123
Loves-to-Learn Lots
‎07-01-2021 11:24 PM

@kamlesh_vaghela 
I have the field "Combiner" within event_simpleName=NeighborListIP4
I have the field "MAC" within event_simpleName=SensorHeartbeat

Both fields contains MAC address's, I want to output what's in Combiner but not in MAC.

However event_simpleName=NeighborListIP4 also has the field MAC, which I want to completely disregard.

Sorry its difficult to explain, I hope this clears it up!

event_simpleName=NeighborListIP4 Combinerevent_simpleName=SensorHeartbeat
MAC		 
14Give me value of Combiner
44Don't give me the value
57Give me value of Combiner
 
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-01-2021 11:56 PM

@nathg123 

Yes it's difficult.  let me share what I've tried. I'm not what search you design in earlier post. But can you please try this?

index=main event_simpleName=NeighborListIP4 OR event_simpleName=SensorHeartbeat 
| eval MAC=if(event_simpleName=NeighborListIP4,null(),MAC)
| eventstats values(MAC) as Macs
| eval flg=mvfind(Macs,Combiner)
| where isnull(flg)
| dedup  Combiner
| table Combiner

 

My Sample Search :

| makeresults | eval raw="event_simpleName=NeighborListIP4&Combiner=1,4,5|event_simpleName=SensorHeartbeat&MAC=4,4,7",raw=split(raw,"|")| mvexpand raw | rename raw as _raw
| extract kvdelim="=" pairdelim="&" | eval Combiner=split(Combiner,","),MAC=split(MAC,",") | mvexpand Combiner | mvexpand MAC
| rename comment as "Up to now is data only"
| eval MAC=if(event_simpleName=NeighborListIP4,null(),MAC)
| eventstats values(MAC) as Macs
| eval flg=mvfind(Macs,Combiner)
| where isnull(flg)
| dedup  Combiner
| table Combiner

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk &#43; Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...