Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Set difference of a table field in Splunk

guido93
New Member
‎06-07-2021 10:32 AM

From a search I composed a table, let's call it T1, formed by two columns table name, sourcetype

Now I need to create a static, code generated table, call it T2, that contains all the expected values for the above mentioned table T1, hardcoded.

As a result, I need to generate a table T3 equal to: T2 - T1, basically a logical set difference of the first field, which answer the business question "I want to know which records are missing in T1 based on T2"

I am a newbie of Splunk and its query language and I tried to play a bit with set diff and eval to create static data but I did not manage to create the logic I want at all.

Could you point me to the correct logical implementation of this task?

I do script fluently in both SQL and Python, is there any kind of concept I could reuse to become more familiar with this query language?

Stupid graphical example:

T1

name sourcetype
service_1acpt

T2

name sourcetype
service_1acpt
service_2acpt

T3

name sourcetype
service_2acpt
Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2021 10:53 AM

As a simple example, you can append the second search to the first search and then count by name and sourcetype, and where the count is 1 and the sourcetype is T2 you have your result

search T1
| dedup name sourcetype
| append [search T2 | dedup name sourcetype | eval eventsource="T2"]
| stats count by name sourcetype
| where count = 1 AND eventsource="T2"
0 Karma
Reply

guido93
New Member
‎06-07-2021 11:11 AM

Hi, thanks for your reply first of all.
Do you know how could I hardcode T2 as well? I don't know how to create a table not from a search but with my hardcoded values

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2021 11:17 AM

You could create a csv file and load that as a kv store and use inputlookup to read from the csv store. Alternatively, you could use makeresults to generate the hardcoded values every time (not really advised if you can save the values in a kv/csv store).

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...