Splunk Search

What is the command to check if a field exists in one column but not in the other column?

avivn
Explorer

hello

what is the command to check if a field exists in one column but not the other?

for example, to count the "10.2.3.3" because it exists in the source column but not in the target column :

source_             |target
10.1.2.3             |10.1.2.3
10.2.3.3             |10.2.2.2

thanks

0 Karma

inventsekar
SplunkTrust
SplunkTrust

try this....

yoursearch | table source, target | where source!=target
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

avivn
Explorer

not working ,,,,

0 Karma

sjalexander
Path Finder

I downvoted this post because not an answer

0 Karma

sidbisht
Engager

Although the question is 4 years old I had encountered something similar for an Alert. Please try this

| makeresults count=10
| streamstats count as temp
| eval temp1=abs(10-temp)
| eval ip1="10.10."+temp+"."+temp1
| eval ip2="10.10.7.".temp
| stats values(ip1) as ip1, values(ip2) as ip2
| mvexpand ip1
| mvexpand ip2
| where ip1 = ip2

to4kawa
Ultra Champion
| makeresults count=10
| streamstats count as temp
| eval temp1=abs(10-temp)
| eval ip1="10.10."+temp+"."+temp1
| eval ip2="10.10.7.".temp
| eventstats values(ip2) as tmp
| stats count(eval(match(tmp,ip1))) as count list(ip2) as ip2 values(temp) as temp by ip1
| sort temp
| fields - temp

@sidbisht  your creating temp1 is interesting.  

How about this query?
For comparing fields, make multi value and use match(), I think.

0 Karma

somesoni2
Revered Legend

There won't be a straight forward command to the comparison. Try this subsearch method

your base search | where NOT [search yourbasesearch | stats count by target | table target | rename target as source] | stats count by source
0 Karma

avivn
Explorer

not working ...

0 Karma

inventsekar
SplunkTrust
SplunkTrust

You simply want to list or you want to count as well?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...