Splunk Search

How to show threat names in field1 and not in field2?

mcohen13
Loves-to-Learn

I have 2 different fields that both contain threat names.
I want to show which of the threat name are in field1 and not in field2. how do I show that?

0 Karma

woodcock
Esteemed Legend

OK, I see that you have been asking several questions all related to the same thing. I think I gave you a good one here:
https://answers.splunk.com/answering/734619/view.html

And if you take a look at the last line of my answer here, you will have all that you need to do the setdiff:
https://answers.splunk.com/answering/734611/view.html

Here is the run-anywhere example of setdiff from there:

 index=_* earliest=-2d@d latest=@d
 | bin _time span=1d 
 | eval _time = if(_time < relative_time(now(), "-1d@d"), "YesterYesterDay", "YesterDay")
 | chart values(sourcetype) OVER host BY _time
 | eval setdiff = split(replace(replace(replace(replace(mvjoin(mvsort(mvappend(split(replace(YesterYesterDay, "(;|$)", "#1;"), ";"), split(replace(YesterDay, "(;|$)", "#0;"), ";"))), ";"), ";(\d+)#0\;\1#1", ""), ";\d+#1", ""), "#0", ""), ";(?!\d)|^;", ""), ";")

You can thank @martin_mueller for that last line.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That was a fun day. H/T to @jeffland too!

jeffland
SplunkTrust
SplunkTrust

Oh I remember. Glad to see it grow into the wild 🙂

0 Karma

nickhills
Ultra Champion

I'm not sure if this is quite what you are looking for, however this will give you the values which only appear once in one of the fields.

| makeresults 1 
| eval variant1 = "[\"tempedreve\",\"suppobox\",\"necurs\",\"ramnit\",\"tofsee\",\"simda\",\"tinba\"]" 
| eval variant2 = "[\"necurs\",\"pykspa\",\"suppobox\",\"simda\"]" 
| eval field1 = replace(variant1, "\[|\]|\"","") 
| eval field2 = replace(variant2, "\[|\]|\"","") 
| eval field3 = mvzip(field1, field2) 
| makemv field3 delim="," 
|mvexpand field3|stats count(field3) as ct by field3|where ct==1|mvcombine delim="," field3
If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Are the two fields in the same event, or different events?

If my comment helps, please give it a thumbs up!
0 Karma

mcohen13
Loves-to-Learn

they are in the same index

0 Karma

nickhills
Ultra Champion

But does 1 event contain both fields?

If my comment helps, please give it a thumbs up!
0 Karma

mcohen13
Loves-to-Learn

can you clarify?

0 Karma

nickhills
Ultra Champion

Can you share your search and some example events. Remember to remove anything sensitive.

If my comment helps, please give it a thumbs up!
0 Karma

mcohen13
Loves-to-Learn

i share example evens
variant1 = ["tempedreve","suppobox","necurs","ramnit","tofsee","simda","tinba"]
variant2 = ["necurs","pykspa","suppobox","simda"]
already i have ability to extract each variant name into a different field that in each row contain one variant name instead of array

i want to show only the variant name that are in variant1 and not in variant2

0 Karma

somesoni2
Revered Legend

Is variant1 and variant2 appean in the same event (all events have both the fields available)? Are the extracted variant1 and variant2 a multiple valued field?

mcohen13
Loves-to-Learn

yes both fields appear in the same event
the extracted fields are not multiple value both contain a single value

0 Karma

somesoni2
Revered Legend

One last thing, what's you current search looks like (to show/list these values)? (if you're doing field extraction inline in the search, show that as well)

0 Karma

mcohen13
Loves-to-Learn

index="something" date!="date"

| makemv delim="," variants_only_in_1 | mvexpand variants_only_in_1 | eval variants_only_in_1=replace(variants_only_in_1,"]","") | eval variants_only_in_1=replace(variants_only_in_1,"[","") | eval variants_only_in_1=replace(variants_only_in_1,"\,","")
| makemv delim="," variants_only_in_2 | mvexpand variants_only_in_2 | eval variants_only_in_2=replace(variants_only_in_2,"]","") | eval variants_only_in_2=replace(variants_only_in_2,"[","") | eval variants_only_in_2=replace(variants_only_in_2,"\,","")

0 Karma

woodcock
Esteemed Legend

You are a patient man.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...