Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search if field value appears in another search or not

smcdonald20
Path Finder
‎03-07-2017 03:11 AM

Trying to find any DeviceId field values that appear in the ActiveSync search but NOT in the MobileIron search.
What is the best way to do this?

ActiveSync search:
index=msexchange source=otl_activesyncinventory

|dedup SamAccountName, DeviceId

|table companyOu, SamAccountName, "AD Account Enabled", DeviceId

MobileIron search:
index=msexchange source=otl_mobileiron
| table, DeviceId, MailboxId, Status

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rjthibod
Champion
‎03-07-2017 03:21 AM

This will give you the list of DeviceId values that only appear in the ActiveSync search.

index=msexchange (source=otl_activesyncinventory OR source=otl_mobileiron)
| stats count by source DeviceId
| eventstats dc(source) as dc by DeviceId
| search dc=1 source=otl_activesyncinventory
| fields DeviceId

You can then use that search in the first step of you first search to get the full table of results you are looking for

index=msexchange source=otl_activesyncinventory 
[   
    search index=msexchange (source=otl_activesyncinventory OR source=otl_mobileiron)
    | stats count by source DeviceId
    | eventstats dc(source) as dc by DeviceId
    | search dc=1 source=otl_activesyncinventory
    | fields DeviceId
]
|dedup SamAccountName, DeviceId 
|table companyOu, SamAccountName, "AD Account Enabled", DeviceId

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rjthibod
Champion
‎03-07-2017 03:21 AM

This will give you the list of DeviceId values that only appear in the ActiveSync search.

index=msexchange (source=otl_activesyncinventory OR source=otl_mobileiron)
| stats count by source DeviceId
| eventstats dc(source) as dc by DeviceId
| search dc=1 source=otl_activesyncinventory
| fields DeviceId

You can then use that search in the first step of you first search to get the full table of results you are looking for

index=msexchange source=otl_activesyncinventory 
[   
    search index=msexchange (source=otl_activesyncinventory OR source=otl_mobileiron)
    | stats count by source DeviceId
    | eventstats dc(source) as dc by DeviceId
    | search dc=1 source=otl_activesyncinventory
    | fields DeviceId
]
|dedup SamAccountName, DeviceId 
|table companyOu, SamAccountName, "AD Account Enabled", DeviceId
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...