Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to find unique values between two queries?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
05-13-2019
02:00 PM
I know I am for sure over-complicating this. I need to find values that are in field x, that are not in field y.
This is my first query:
index=nitro_prod_loc_server earliest=-4h
| stats values("locId") as All_Locs
This returns all locations, it requires a 4 hour timespan
This is my second query:
index=nitro_prod_loc_server appName="nitroCheck" bdy.addInfo{}.key="Serial Number"
| stats values("locId") as "Checked_Locs"
This returns a list of locations that have been checked, it needs the time to be set to all time.
I want a list of locations not found in the second query. Any suggestions?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
05-14-2019
08:25 AM
Got it
| multisearch
[ search index=-### appName="NotifiCenter" earliest=-4h]
[ search index=-### appName="NitroCheck" bdy.addInfo{}.key="Serial Number" ]
| stats values(locId) as location distinct_count(locId) AS c_idx by appName
| stats count(appName) as c_appName by location
| where c_appName < 2
| table location
| sort location asc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
05-14-2019
08:25 AM
Got it
| multisearch
[ search index=-### appName="NotifiCenter" earliest=-4h]
[ search index=-### appName="NitroCheck" bdy.addInfo{}.key="Serial Number" ]
| stats values(locId) as location distinct_count(locId) AS c_idx by appName
| stats count(appName) as c_appName by location
| where c_appName < 2
| table location
| sort location asc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
05-13-2019
02:12 PM
Hi JoshuaJohn,
you should not use join for reasons.
You can use a multireport to do this, and this SPL is un-tested so you might have to modify it to match 😉
| multireport
[ search index=nitro_prod_loc_server earliest=-4h
| stats values("locId") as All_Locs ]
[ search index=nitro_prod_loc_server appName="nitroCheck" bdy.addInfo{}.key="Serial Number"
| stats values("locId") as "Checked_Locs" ]
| streamstats count(index) AS c_idx
| where c_idx < 2 AND isnull(appName)
This would assume you have no appName field returned from the first search.
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
05-14-2019
06:51 AM
Ah I do have an appName returned from the first field, it always returns something (regardless if its set to specifically return)
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
