compare find missing values from two indexes same...

learningnow · ‎09-30-2019

Trying to create a report using two indexes on same field "Pcname".
Different datatype one of from Active Directory and other one is from SCCM.
Same computer are present in both indexes

see also the attach screen short.

Desire results:

If missing form for either Index or not reported back in last 30 days
nice it have one report but if not possible then we can break in 2 reports or more if needed

Thanks in advance

jkat54 · ‎09-30-2019

Something like this:

index=ad OR index=sccm 
| eval pcName=coalesc(pcname_field_in_AD_index, pcname_field_in_SCCM_index)
| eval lastContact=coaslesc(lastContact_field_in_AD_index, lastContact_field_in_SCCM_index)
| fillnull value="missing"
| stats latest(lastContact) as lastContact by pcName index
| eval comments="Logic for missing / over 30 days goes here"

learningnow · ‎09-30-2019

Thanks let me try if this would work

compare find missing values from two indexes same field heading /name

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation