Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

Why splunk is not comparing all values from 2 different fileds?

chandana204
Path Finder
โ€Ž05-24-2018 09:18 AM

Hi,

I want to compare two fields in a certain timerange. I am working on 2 fields, those are processip and transferip. These process and transfer fields has 100,000 values, processip count is greater than transferip count most of the values are same except 1 to 20 processip values are not matching with transferip values. I wanted to list out those 1-20 process_ip values. I have written below code to compare two fields:

index="index1" process="Process" OR transfer="transfer" 
| rex "(?P[a-zA-Z0-9.]+)" 
| rex "(hd)\s+(?P[a-zA-Z0-9.]+)" 
| streamstats count by ip, ip_P 
| stats values(ip_P) AS process_ip, values(ip) AS transfer_ip 
| mvexpand process_ip 
| fillnull value=NULL transfer_ip 
| eval file_types_process=if(process_ip!=transfer_ip, process_ip, NULL) 
| where ip_process!="NULL" 
| table ip_process

it's not effecting properly on large amount of data. When I mentioned unmatched processip values in the search then it's listing properly as nonmatched processip with transferip in the table ip_process. I tried running this code on 3 modes(Verbose/Smart/Fast) but no luck.

Why Splunk is not able to compare two fields accurately on large amount of data?

Please let me know if i did any mistake in the code or missed anything.

Thanks,
Chandana

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
โ€Ž05-24-2018 10:35 AM

Assuming field processip and transferip is already extracted (for events with process="Process" and transfer="transfer" respectively), try something like this

 index="index1" process="Process" OR transfer="transfer" 
| eval common_ip=coalesce(process_ip,transfer_ip)
| eval from=if(process="Process","Process","Transfer")
| stats values(from) as from by common_ip
| where mvcount(from)=1 AND from="Process"

Above should give your all processip values which are not available as transferip.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
โ€Ž05-24-2018 10:35 AM

Assuming field processip and transferip is already extracted (for events with process="Process" and transfer="transfer" respectively), try something like this

 index="index1" process="Process" OR transfer="transfer" 
| eval common_ip=coalesce(process_ip,transfer_ip)
| eval from=if(process="Process","Process","Transfer")
| stats values(from) as from by common_ip
| where mvcount(from)=1 AND from="Process"

Above should give your all processip values which are not available as transferip.

View solution in original post

Reply