Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to show threat names in field1 and not in field2?

mcohen13
Loves-to-Learn
‎03-18-2019 06:36 AM

I have 2 different fields that both contain threat names.
I want to show which of the threat name are in field1 and not in field2. how do I show that?

0 Karma
Reply

woodcock
Esteemed Legend
‎03-18-2019 09:25 AM

OK, I see that you have been asking several questions all related to the same thing. I think I gave you a good one here:
https://answers.splunk.com/answering/734619/view.html

And if you take a look at the last line of my answer here, you will have all that you need to do the setdiff:
https://answers.splunk.com/answering/734611/view.html

Here is the run-anywhere example of setdiff from there:

 index=_* earliest=-2d@d latest=@d
 | bin _time span=1d 
 | eval _time = if(_time < relative_time(now(), "-1d@d"), "YesterYesterDay", "YesterDay")
 | chart values(sourcetype) OVER host BY _time
 | eval setdiff = split(replace(replace(replace(replace(mvjoin(mvsort(mvappend(split(replace(YesterYesterDay, "(;|$)", "#1;"), ";"), split(replace(YesterDay, "(;|$)", "#0;"), ";"))), ";"), ";(\d+)#0\;\1#1", ""), ";\d+#1", ""), "#0", ""), ";(?!\d)|^;", ""), ";")

You can thank @martin_mueller for that last line.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-18-2019 11:19 AM

That was a fun day. H/T to @jeffland too!

Reply

jeffland
SplunkTrust
SplunkTrust
‎03-26-2019 12:25 AM

Oh I remember. Glad to see it grow into the wild 🙂

0 Karma
Reply

nickhills
Ultra Champion
‎03-18-2019 09:09 AM

I'm not sure if this is quite what you are looking for, however this will give you the values which only appear once in one of the fields.

| makeresults 1 
| eval variant1 = "[\"tempedreve\",\"suppobox\",\"necurs\",\"ramnit\",\"tofsee\",\"simda\",\"tinba\"]" 
| eval variant2 = "[\"necurs\",\"pykspa\",\"suppobox\",\"simda\"]" 
| eval field1 = replace(variant1, "\[|\]|\"","") 
| eval field2 = replace(variant2, "\[|\]|\"","") 
| eval field3 = mvzip(field1, field2) 
| makemv field3 delim="," 
|mvexpand field3|stats count(field3) as ct by field3|where ct==1|mvcombine delim="," field3
If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎03-18-2019 07:10 AM

Are the two fields in the same event, or different events?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

mcohen13
Loves-to-Learn
‎03-18-2019 07:31 AM

they are in the same index

0 Karma
Reply

nickhills
Ultra Champion
‎03-18-2019 07:34 AM

But does 1 event contain both fields?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

mcohen13
Loves-to-Learn
‎03-18-2019 07:38 AM

can you clarify?

0 Karma
Reply

nickhills
Ultra Champion
‎03-18-2019 07:47 AM

Can you share your search and some example events. Remember to remove anything sensitive.

If my comment helps, please give it a thumbs up!
0 Karma
Reply

mcohen13
Loves-to-Learn
‎03-18-2019 07:55 AM

i share example evens
variant1 = ["tempedreve","suppobox","necurs","ramnit","tofsee","simda","tinba"]
variant2 = ["necurs","pykspa","suppobox","simda"]
already i have ability to extract each variant name into a different field that in each row contain one variant name instead of array

i want to show only the variant name that are in variant1 and not in variant2

0 Karma
Reply

somesoni2
Revered Legend
‎03-18-2019 08:18 AM

Is variant1 and variant2 appean in the same event (all events have both the fields available)? Are the extracted variant1 and variant2 a multiple valued field?

Reply

mcohen13
Loves-to-Learn
‎03-18-2019 08:49 AM

yes both fields appear in the same event
the extracted fields are not multiple value both contain a single value

0 Karma
Reply

somesoni2
Revered Legend
‎03-18-2019 09:03 AM

One last thing, what's you current search looks like (to show/list these values)? (if you're doing field extraction inline in the search, show that as well)

0 Karma
Reply

mcohen13
Loves-to-Learn
‎03-19-2019 02:25 AM

index="something" date!="date"

| makemv delim="," variants_only_in_1 | mvexpand variants_only_in_1 | eval variants_only_in_1=replace(variants_only_in_1,"]","") | eval variants_only_in_1=replace(variants_only_in_1,"[","") | eval variants_only_in_1=replace(variants_only_in_1,"\,","")
| makemv delim="," variants_only_in_2 | mvexpand variants_only_in_2 | eval variants_only_in_2=replace(variants_only_in_2,"]","") | eval variants_only_in_2=replace(variants_only_in_2,"[","") | eval variants_only_in_2=replace(variants_only_in_2,"\,","")

0 Karma
Reply

woodcock
Esteemed Legend
‎03-18-2019 08:24 AM

You are a patient man.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...