Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the command to check if a field exists in one column but not in the other column?

avivn
Explorer
‎09-20-2016 08:45 AM

hello

what is the command to check if a field exists in one column but not the other?

for example, to count the "10.2.3.3" because it exists in the source column but not in the target column :

source_             |target
10.1.2.3             |10.1.2.3
10.2.3.3             |10.2.2.2

thanks

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-20-2016 09:00 AM

try this....

yoursearch | table source, target | where source!=target
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

avivn
Explorer
‎09-21-2016 12:47 AM

not working ,,,,

0 Karma
Reply

sjalexander
Path Finder
‎09-21-2016 05:31 AM

I downvoted this post because not an answer

0 Karma
Reply

sidbisht
Engager
‎07-25-2020 09:30 AM

Although the question is 4 years old I had encountered something similar for an Alert. Please try this

| makeresults count=10
| streamstats count as temp
| eval temp1=abs(10-temp)
| eval ip1="10.10."+temp+"."+temp1
| eval ip2="10.10.7.".temp
| stats values(ip1) as ip1, values(ip2) as ip2
| mvexpand ip1
| mvexpand ip2
| where ip1 = ip2

Reply

to4kawa
Ultra Champion
‎07-25-2020 06:37 PM 
| makeresults count=10
| streamstats count as temp
| eval temp1=abs(10-temp)
| eval ip1="10.10."+temp+"."+temp1
| eval ip2="10.10.7.".temp
| eventstats values(ip2) as tmp
| stats count(eval(match(tmp,ip1))) as count list(ip2) as ip2 values(temp) as temp by ip1
| sort temp
| fields - temp

@sidbisht  your creating temp1 is interesting.  

How about this query?
For comparing fields, make multi value and use match(), I think.

0 Karma
Reply

somesoni2
Revered Legend
‎09-20-2016 09:00 AM

There won't be a straight forward command to the comparison. Try this subsearch method

your base search | where NOT [search yourbasesearch | stats count by target | table target | rename target as source] | stats count by source
0 Karma
Reply

avivn
Explorer
‎09-21-2016 12:53 AM

not working ...

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-21-2016 01:09 AM

You simply want to list or you want to count as well?

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...