Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Set difference of a table field in Splunk

guido93
New Member
‎06-07-2021 10:32 AM

From a search I composed a table, let's call it T1, formed by two columns table name, sourcetype

Now I need to create a static, code generated table, call it T2, that contains all the expected values for the above mentioned table T1, hardcoded.

As a result, I need to generate a table T3 equal to: T2 - T1, basically a logical set difference of the first field, which answer the business question "I want to know which records are missing in T1 based on T2"

I am a newbie of Splunk and its query language and I tried to play a bit with set diff and eval to create static data but I did not manage to create the logic I want at all.

Could you point me to the correct logical implementation of this task?

I do script fluently in both SQL and Python, is there any kind of concept I could reuse to become more familiar with this query language?

Stupid graphical example:

T1

name sourcetype
service_1acpt

T2

name sourcetype
service_1acpt
service_2acpt

T3

name sourcetype
service_2acpt
Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2021 10:53 AM

As a simple example, you can append the second search to the first search and then count by name and sourcetype, and where the count is 1 and the sourcetype is T2 you have your result

search T1
| dedup name sourcetype
| append [search T2 | dedup name sourcetype | eval eventsource="T2"]
| stats count by name sourcetype
| where count = 1 AND eventsource="T2"
0 Karma
Reply

guido93
New Member
‎06-07-2021 11:11 AM

Hi, thanks for your reply first of all.
Do you know how could I hardcode T2 as well? I don't know how to create a table not from a search but with my hardcoded values

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-07-2021 11:17 AM

You could create a csv file and load that as a kv store and use inputlookup to read from the csv store. Alternatively, you could use makeresults to generate the hardcoded values every time (not really advised if you can save the values in a kv/csv store).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...