Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

compare 2 different search results and list out the missing data from search 1 result

SathyaNarayanan
Path Finder
‎07-21-2016 04:15 AM

Hi,

I have 2 results from 2 different searches. I need to compare it & find out the missing data from search result 1

Search 1 result as Hostname

SVS1
SVS2
SVS3

Search 2 result as CI_name

SVS1
SVS2

my Result should be

SVS3

Note : I tried set diff command but it showing the difference not the missing data

Thanks in advance

Tags (1)
Reply

woodcock
Esteemed Legend
‎07-21-2016 07:37 AM

Like this:

SearchOneHere NOT [ SearchTwoHere | table CI_name | rename CI_name AS Hostname ]

Or this:

SearchOneHere | search NOT [ SearchTwoHere | table CI_name | rename CI_name AS Hostname ]
Reply

SathyaNarayanan
Path Finder
‎07-29-2016 06:38 AM

Thank you woodcock, it worked for me

0 Karma
Reply

woodcock
Esteemed Legend
‎07-29-2016 02:08 PM

Then please do click Accept on this answer to close the question.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-21-2016 05:01 AM

try this

search1 | eval count=0 | append [ search search2 | rename CI_name AS Hostname | stats count by Hostname ] | stats sum(count) AS Total by Hostname | where Total = 0

in this way you find all the Hostnames of Search1 that aren't in Search2.
Bye.
Giuseppe

Reply

gcusello
SplunkTrust
SplunkTrust
‎09-09-2016 04:21 AM

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe

0 Karma
Reply

kiru2992
Path Finder
‎02-06-2018 12:35 AM

Hi Giuseppe,

I also have this problem and this query solves the issue. But I am having difficulty in understanding the
" stats sum(count) AS Total by Hostname" part of the query.

Can you please help me by explaining how the query works?

Thank you in advance.
Kiruthika

0 Karma
Reply

493669
Super Champion
‎02-06-2018 01:00 AM

here
search 1| eval count=0
gives result like 

Hostname       count
  A                    0
  B                    0
  C                    0

And search search2 | rename CI_name AS Hostname | stats count by Hostname
gives result like

Hostname       count
  B                    2
  C                    3
  D                    5

Now by append clause above results get appended gives below output

Hostname         count
      A                    0
      B                    0
      C                    0
      B                    2
      C                    3
      D                    5

Now | stats sum(count) AS Total by Hostname gives (sum of all count per Hostname) output as 

Hostname        Total
  A                    0
  B                    2
  C                    3
  D                    5

after which find whose Total field is zero | where Total = 0 which indicates here "A" hostame is missing.
Hope this helps!

Reply

kiru2992
Path Finder
‎02-06-2018 01:15 AM

Of course!! Thanks a lot!!

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...