Splunk Search

How to eliminate identical values of two similar fields?

vshakur
Path Finder

Suppose I have a field called TESTS which contains some values. This field changes every day (each day is represented by a field called TIMESTAMP).
I would like to isolate only those tests that differ from previous day to the following. Only those tests that appeared yesterday but not today.

For instance:
| tests | day |
|--------| ------|
| a,b,c | 1 |
|--------|-------|
| a,c | 2 |

The DIFFERENCE field should contain only b

Thanks,
Shmuel

0 Karma

elliotproebstel
Champion

I'm going to focus on your final goal statement, which is to find: "Only those tests that appeared yesterday but not today." I'll assume that each test appears in a field called test.

Step 1: List all tests that occurred in the overall timeframe (yesterday and today)

index=something earliest=-1d@d latest=now test=*

Step 2: Identify the latest time that each test ran

| stats latest(_time) AS last_ran BY test

Step 3: Filter for tests that ran yesterday and did not run today

| eval midnight=relative_time(now(), "@d")
| where last_ran<=midnight

This will leave tests that were seen within the overall time window but were not seen today. So putting it all together:

index=something earliest=-1d@d latest=now test=*
| stats latest(_time) AS last_ran BY test
| eval midnight=relative_time(now(), "@d")
| where last_ran<=midnight

The solution by @p_gurav will display all events that occurred on only one day (i.e. only yesterday OR only today), but it won't tell you on which day they ran.

p_gurav
Champion

Hi vshakur,

You can try following query:

| set diff [search index=* earliest=-0d@d latest=now | stats count by tests | fields - count] [search index=* earliest=-1d@d latest=@d| stats count by tests | fields - count]
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...