Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- compare data list
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assume i have two stores which must have the same items but one is missing.
My search returns for example
STORE=LONDON ITEM=ORANGE
STORE=LONDON ITEM=APPLE
STORE=PARIS ITEM=ORANGE
STORE=PARIS ITEM=APPLE
STORE=PARIS ITEM=LEMON
How can i display the missing item LEMON visible in store london?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mkrauss1, please find the following run anywhere search. It mimic three ITEMs and three STORES. You can expand to as many as you want. Obviously the query will be less expensive if there were lookups for unique STORES and ITEMS.
| makeresults
| eval data= "STORE=LONDON ITEM=BANANA;STORE=DELHI ITEM=ORANGE;STORE=LONDON ITEM=APPLE;STORE=PARIS ITEM=ORANGE;STORE=PARIS ITEM=APPLE;STORE=PARIS ITEM=LEMON"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| table ITEM STORE
| eventstats values(STORE) as AllStores
| stats count as Match dc(AllStores) as MaxMatch values(STORE) as StoreFound values(AllStores) as AllStores by ITEM
| search Match<MaxMatch
| mvexpand AllStores
| where !(AllStores in (StoreFound))
| rename AllStores as StoreMissing
| stats values(StoreFound) as StoreFound values(StoreMissing) as StoreMissing by ITEM
PS: Commands till | table ITEM STORE create sample data for demo.
Also in command will work on Splunk Enterprise 6.6 onward.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval raw="STORE=LONDON ITEM=ORANGE:STORE=LONDON ITEM=APPLE:STORE=PARIS ITEM=ORANGE:STORE=PARIS ITEM=APPLE:STORE=PARIS ITEM=LEMON"
| makemv delim=":" raw
| mvexpand raw
| rename raw AS _raw
| kv
| stats dc(STORE) AS num_stores values(STORE) AS stores BY ITEM
| search num_stores=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mkrauss1, please find the following run anywhere search. It mimic three ITEMs and three STORES. You can expand to as many as you want. Obviously the query will be less expensive if there were lookups for unique STORES and ITEMS.
| makeresults
| eval data= "STORE=LONDON ITEM=BANANA;STORE=DELHI ITEM=ORANGE;STORE=LONDON ITEM=APPLE;STORE=PARIS ITEM=ORANGE;STORE=PARIS ITEM=APPLE;STORE=PARIS ITEM=LEMON"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| table ITEM STORE
| eventstats values(STORE) as AllStores
| stats count as Match dc(AllStores) as MaxMatch values(STORE) as StoreFound values(AllStores) as AllStores by ITEM
| search Match<MaxMatch
| mvexpand AllStores
| where !(AllStores in (StoreFound))
| rename AllStores as StoreMissing
| stats values(StoreFound) as StoreFound values(StoreMissing) as StoreMissing by ITEM
PS: Commands till | table ITEM STORE create sample data for demo.
Also in command will work on Splunk Enterprise 6.6 onward.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great solution and I also really like the first part of the query to build a set of data. Both of these should be on some list of solution patterns.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @MonkeyK 🙂 I learnt KV and extract for mocking up data from @cmerriman 🙂
Most of community members devise these tricks to mock sample data as per question to assist users. Obviously we do not have access to user's data another reason is re-usability by other members and also testing.
You are right that such data generation queries can go to Tips & Tricks section of Splunk Blogs but not sure who can do that 🙂
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mkrauss1, will you always have two stores or can it be more than two as well?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But a search for two stores would be great as well
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can have many stores
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have lookup file for STORES or can you have a lookup file?
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
