Thank you very much, @isoutamo for this reference - it is very useful.

Hi @gcusello,

yes, events with source="fs_webhook" arent in the host="RMM_DATA" subset. I have tried this with COALESCE as you suggested, but it gives me IDs even if it is in both the data sets. 

index="tickets" (host="RMM_DATA") OR (source="fs_webhooks")
| rename freshdesk_webhook.ticket_id AS ticket_id
| where DepartmentName!="XYZ" DepartmentName!="MNO" Status!="Closed" AND Status!="Resolved" Priority="Urgent" Type="Incident"
| eval ID=coalesce(ticket_id, ID)
| fields ID Type DepartmentName "Created Date" Location Priority Subject Queue Status Analyst "Last Updated"
| stats values(*) AS * BY ID

Below example is what I want to achieve:

Data Set 1:

ID: 123456, 234567, 345678

Data Set 2:

ID: 123456, 345678

Expected Result:

ID: 234567

Thank you.

Hi @gcusello - with some minor changes in the updated query you shared, I got it working and now getting expected data.  Thank you so much.

Hi @madhav_dholakia,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

There is also additional question whether ID values are really unique. And if there are IDs that are in the second set and are not in the first one.

In the simplest case (the sets are disjunctive and the second set is a subset of the first one in terms of ID values), you can just use count to discard the repetitive values

index=tickets host=RMM_DATA or source=fs_webhooks
| stats count values(*) as * by ID
| where count=1

Hi @PickleRick,

yes, so the first data set is all the tickets raised in an ITSM tool and the second data set is all the tickets marked as SPAM (subset of data set 1).

Both the data sets contain the common field ID but is is not names as ID in the second data set (freshdesk_webhook.ticket_id) so I use "| rename"

Dataset 1 Columns:

ID, DepartmentName Status Priority Type etc.

Dataset 2 Column:

ID

index="freshservice_tickets" (host="PMC_RAPTOR_DATA" "Department Name"!="ABC" AND "Department Name"!="DEF" AND Status!="Closed" AND Status!="Resolved" AND Priority="Urgent" AND Type="Incident") OR (source="fs_webhooks")
| rename freshdesk_webhook.ticket_id as ID
| stats count values(*) as * by ID

 and the above doesn't give the required results. Can you please suggest what I am doing wrong?

Thank you.

Well, before filtering with the |where command you should get all your tickets.

But in case of your ITSM tickets which are not spam the count should be 1 and in case of the tickets which are spam the count should be 2. Hence the additional condition with |where.

If that's not what you need, check your base search first.

index="freshservice_tickets" (host="PMC_RAPTOR_DATA" "Department Name"!="ABC" AND "Department Name"!="DEF" AND Status!="Closed" AND Status!="Resolved" AND Priority="Urgent" AND Type="Incident") | stats count values(*) as * by ID

It should give you your tickets in tabelarized form. (and you should count equal to 1 across the whole table if as you say the ID is unique per ticket)

thank you very much, @PickleRick - before I check your comment, I got this working by referring to @gcusello's comment.  but thanks for this, I am sure will use this sometime very soon.