Solved: compare linecount for files

EricPartington · ‎02-08-2012

I am using splunk to compare the output of routes from a list of firewalls. The output contains a listing of routes. I would like to compare the linecount from each pair member to make sure that the routes are added to each firewall properly.

I have field called cluster that associates the pair members (host)

host1-p,host1
host1-b,host1

I have a few hundred of these files to compare. I would like to build a view that shows the listing of cluster or hosts where the linecount is not the same between cluster members.

I will use that to investigate further. I can get the files into splunk and into an index.

How can I compare (subtract linecounts and if sum is non-0 show) the latest output for each cluster?

This gets me the data to compare

index=fw_audits eventtype=routes earliest=-14d | table cluster,host,linecount

Any thoughts how to do the compare between cluster members?

EricPartington · ‎02-18-2012

solved using the range() operator

View solution in original post

EricPartington · ‎02-18-2012

solved using the range() operator

compare linecount for files

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation