Solved: How to find the difference between columns headers...

akawacz · ‎11-09-2015

Hello

I am trying to find a differecne between column headers (month to another month). Meaning, if in the new month there are some new columns headers which do not exist in the previous month.

|set diff [search index = A PERIOD="2015-08-01 00:00:00" | stats dc(*) as * |transpose | table column] [search index = A PERIOD="2015-09-01 00:00:00" | stats dc(*) as * |transpose | table column]

above search shows me 27 values, but it should be just one. Also I was trying to use foreach, but haven't had any luck there.

HeinzWaescher · ‎11-09-2015

Do you want to see the names of the new headers?
I can think of something like this:

Set the timerangepicker to the 2 months you want to compare.

....
| bucket span=1mon _time

| stats count() AS * BY _time
| transpose

| rename "row 1" -> previous_month, "row 2" -> current_month
| search previous_month=0 AND row2>0

View solution in original post

HeinzWaescher · ‎11-09-2015

Do you want to see the names of the new headers?
I can think of something like this:

Set the timerangepicker to the 2 months you want to compare.

....
| bucket span=1mon _time

| stats count() AS * BY _time
| transpose

| rename "row 1" -> previous_month, "row 2" -> current_month
| search previous_month=0 AND row2>0

akawacz · ‎11-09-2015

HI

I have gave the same result what my search as well (which I have just corrected). However both shows one filed with 0 but the value is visibe in 2 month. What can be the reason ?

How to find the difference between columns headers (new column headers one month that don't exist in the previous month)?

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?