Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find host diff from two searches in the same index?

rest_assured
Loves-to-Learn Everything
‎02-24-2023 03:47 AM
I've been trying to solve this problem for days now with no success. Maybe I can find ultimate salvation here. 

I have a single index where I need to run 2 queries. 

First query finds all hosts that generate logs for a particular app called APP.  I need to count totals.

Second query searches for a hosts that were scanned by the APP.

Problem: I need to deduct hosts detected in Query 2 from hosts found in Query 1. That will generate a list of hosts that were potentially not scanned in a selected period of time.

Query 1:

index=demon source="/opt/app/logs/*"

Query 2:

index=demon source="*scan.log" "scan Finished"

From what I learnt so far |multisearch appears to be the best candidate however when I run the below query I only get 1 variable listed, I guess because of host that can be attributed only once.
 
I'm sure there are multiple ways of achieving this goal.
 
Thanks

 

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-24-2023 04:38 AM

A rule of thumb says if you can use one search, don't use two. Also don't use subsearches unless you absolutely have to.

Question is whether you want to find events which match one of your searches but don't match the other or hosts listed in one search but bot the other.

0 Karma
Reply

rest_assured
Loves-to-Learn Everything
‎02-24-2023 06:20 AM

I'm looking for hosts list generated by query 1 minus hosts list generated by query 2. I must find unique hosts in both and then use simple math to calculate a diff. If possible list hosts as table. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-24-2023 07:58 AM

The typical approach would be to generate list of events, classify them and find only those matching.

You can do that with two separate searches

index=demon source="/opt/app/logs/*"
| eval find_id=1
| appendpipe [
     search index=demon source="*scan.log" "scan Finished"
     | eval find_id=2 ]
| stats values(host) as host by find_id
| mvexpand host
| stats sum(find_id) as find by host
| where find=1

Depending on whether you want only those appearing in first, second or both searches, you set the last where condition to 1, 2 or 3.

You can also do this in one search with using compound OR-ed search and conditional eval but it's more complicated.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-24-2023 04:08 AM

Try something like this

index=demon source="/opt/app/logs/*" NOT [| search index=demon source="*scan.log" "scan Finished"
| dedup host
| fields host]
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...