Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to find unique values between two queries?

JoshuaJohn
Contributor
‎05-13-2019 02:00 PM

I know I am for sure over-complicating this. I need to find values that are in field x, that are not in field y.

This is my first query:

index=nitro_prod_loc_server earliest=-4h
| stats values("locId") as All_Locs

This returns all locations, it requires a 4 hour timespan

This is my second query:

index=nitro_prod_loc_server appName="nitroCheck" bdy.addInfo{}.key="Serial Number" 
| stats values("locId") as "Checked_Locs"

This returns a list of locations that have been checked, it needs the time to be set to all time.

I want a list of locations not found in the second query. Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JoshuaJohn
Contributor
‎05-14-2019 08:25 AM

Got it

| multisearch 
 [ search index=-### appName="NotifiCenter" earliest=-4h]
 [ search index=-### appName="NitroCheck" bdy.addInfo{}.key="Serial Number" ]
 | stats values(locId) as location distinct_count(locId) AS c_idx by appName
 | stats count(appName) as c_appName by location
 | where c_appName < 2
 | table location
 | sort location asc

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

JoshuaJohn
Contributor
‎05-14-2019 08:25 AM

Got it

| multisearch 
 [ search index=-### appName="NotifiCenter" earliest=-4h]
 [ search index=-### appName="NitroCheck" bdy.addInfo{}.key="Serial Number" ]
 | stats values(locId) as location distinct_count(locId) AS c_idx by appName
 | stats count(appName) as c_appName by location
 | where c_appName < 2
 | table location
 | sort location asc
0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎05-13-2019 02:12 PM

Hi JoshuaJohn,

you should not use join for reasons.

You can use a multireport to do this, and this SPL is un-tested so you might have to modify it to match 😉 

| multireport
[  search index=nitro_prod_loc_server earliest=-4h
 | stats values("locId") as All_Locs ]
[ search index=nitro_prod_loc_server appName="nitroCheck" bdy.addInfo{}.key="Serial Number" 
 | stats values("locId") as "Checked_Locs" ]
| streamstats count(index) AS c_idx
| where c_idx < 2 AND isnull(appName)

This would assume you have no appName field returned from the first search.

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎05-14-2019 06:51 AM

Ah I do have an appName returned from the first field, it always returns something (regardless if its set to specifically return)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...