Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to efficiently show the difference between two fields from different sources

nathg123
Loves-to-Learn Lots
‎07-01-2021 10:44 PM

Hey All,

Here is my search

index=main event_simpleName=NeighborListIP4 OR event_simpleName=SensorHeartbeat
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC4>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC5>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC4>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC5>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC6>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;"
| eval Combiner = mvappend('MAC1', 'MAC2', 'MAC3', 'MAC4', 'MAC5', 'MAC6')
| mvexpand Combiner
| dedup Combiner
| table Combiner

I want to show what is in the Combiner field but not present within the MAC field only inside event_simpleName=SensorHeartbeat MAC=*

However both event_simpleName=NeighborListIP4 and event_simpleName=SensorHeartbeat contain the field name MAC.

Not sure what is the most efficient way of doing this is, I was attempting to use diff command however no luck.

Any help would be much appreciated!

Thanks

Labels (2)
Labels
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-01-2021 11:05 PM

@nathg123 

Can you please share some events and the expectations from that samples?

KV

0 Karma
Reply

nathg123
Loves-to-Learn Lots
‎07-01-2021 11:24 PM

@kamlesh_vaghela 
I have the field "Combiner" within event_simpleName=NeighborListIP4
I have the field "MAC" within event_simpleName=SensorHeartbeat

Both fields contains MAC address's, I want to output what's in Combiner but not in MAC.

However event_simpleName=NeighborListIP4 also has the field MAC, which I want to completely disregard.

Sorry its difficult to explain, I hope this clears it up!

event_simpleName=NeighborListIP4 Combinerevent_simpleName=SensorHeartbeat
MAC		 
14Give me value of Combiner
44Don't give me the value
57Give me value of Combiner
 
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-01-2021 11:56 PM

@nathg123 

Yes it's difficult.  let me share what I've tried. I'm not what search you design in earlier post. But can you please try this?

index=main event_simpleName=NeighborListIP4 OR event_simpleName=SensorHeartbeat 
| eval MAC=if(event_simpleName=NeighborListIP4,null(),MAC)
| eventstats values(MAC) as Macs
| eval flg=mvfind(Macs,Combiner)
| where isnull(flg)
| dedup  Combiner
| table Combiner

 

My Sample Search :

| makeresults | eval raw="event_simpleName=NeighborListIP4&Combiner=1,4,5|event_simpleName=SensorHeartbeat&MAC=4,4,7",raw=split(raw,"|")| mvexpand raw | rename raw as _raw
| extract kvdelim="=" pairdelim="&" | eval Combiner=split(Combiner,","),MAC=split(MAC,",") | mvexpand Combiner | mvexpand MAC
| rename comment as "Up to now is data only"
| eval MAC=if(event_simpleName=NeighborListIP4,null(),MAC)
| eventstats values(MAC) as Macs
| eval flg=mvfind(Macs,Combiner)
| where isnull(flg)
| dedup  Combiner
| table Combiner

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...