Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to include unique attributes to the result after comparing 2 different lists from 2 different searches ?

vincentgoh98
Engager
‎06-15-2022 05:20 AM

Hi community, 

I have 2 different lists with fields as follow :

list A - ip_address, source, account_id

list B - ip_address, source, account_id, field4, field5

I want to compare both lists to accomplish list(B) - list(A), ie. remain only list(B) entries with unique ip_address value, comparing to list(A) entries, while also return the field value of field4 and field5. 

Example 

list A

ip_addresssourceaccount_id
10.0.0.1A1000
192.168.0.1A1001

 

list B 

ip_addresssourceaccount_idfield4field5
10.0.0.2B999xxxyyyy 
192.168.0.1B1001xxyyyyx

 

Result

ip_addresssourceaccount_idfield4field5
10.0.0.2B999xxxyyyy 

 

I have tried the following :

index=seceng source="listB"
| eval source="B"
| fields ip_address source account_id field4 field5
| append 
[ | inputlookup listA
  | eval source="A" 
  | fields ip_address source account_id]
| stats values(source) as source, count by ip_address account_id field4 field5
| where count == 1 AND source == "B"

The issue of this query is that since field4 and field5 are unique attributes for list(B) only, thus the stats query will only return list(B) entries. It works when the field4 and field5 removed from the stats query, but they are the attributes that I want to include to the result.

Can anyone give me suggestion of how the expected result can be accomplished ? Really appreciate that, and thanks in advance !

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 06:20 AM

Hi @vincentgoh98,

please try something like this:

index=seceng source="listB"
| eval source="B"
| fields ip_address source account_id field4 field5
| append 
[ | inputlookup listA
  | eval source="A" 
  | fields ip_address source account_id]
| stats 
    values(source) AS source 
    dc(source) AS dc_source 
    values(field4) AS field4 
    values(field5) AS field5 
    BY ip_address account_id 
| where dc_source=1 AND source="B"
| table ip_address account_id field4 field5

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-15-2022 06:20 AM

Hi @vincentgoh98,

please try something like this:

index=seceng source="listB"
| eval source="B"
| fields ip_address source account_id field4 field5
| append 
[ | inputlookup listA
  | eval source="A" 
  | fields ip_address source account_id]
| stats 
    values(source) AS source 
    dc(source) AS dc_source 
    values(field4) AS field4 
    values(field5) AS field5 
    BY ip_address account_id 
| where dc_source=1 AND source="B"
| table ip_address account_id field4 field5

Ciao.

Giuseppe

Reply
Solved! Jump to solution

vincentgoh98
Engager
‎06-15-2022 06:54 AM

Hi @gcusello ,

 

Thank you very much for your help ! I am pretty new to Splunk and thus never think of using dc() function. ! It does work for me, and I will mark it as solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...