Splunk Search

Two sets subtraction

pitmod
Explorer

I have a two saved searches A and B. Each gives an output like below:

A:                             

host

host1

host2

host 3

B:

host

host 2

host 3

host 4

I'd like to execute search that uses results of both saved searches to perform set subtraction: A - B. So in this example I should get host1 as an result. The number of hosts for A and B can be greater than 10000 so I'd like to avoid using subsearch command as my output could be truncated.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

There are probably a number of ways to do this - try:

searchA
| eval search="A"
| append [searchB
          | eval search="B"]
| stats values(search) as search by host
| where mvcount(search)=1 AND search="A"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

There are probably a number of ways to do this - try:

searchA
| eval search="A"
| append [searchB
          | eval search="B"]
| stats values(search) as search by host
| where mvcount(search)=1 AND search="A"
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...