Splunk Search

how to compare two events in one search to highlight what's changed

sx
Engager

Hi, I am trying to compare the between two events (json format), say, I can pipe with "head 2" to output only two events and then compare them and hight light what's changed, something like this:

<search syntax> | head 2

event 1

    {

        value:  20

         status: high

         category: A

   }

event 2

    {

         value: 25

         status: low

         category: A

   }

Output after compare looks like this or anything that can highlight the changes:

 changed         origin                new

value                  25                     20

status               low                     high

 

category is unchanged, so won't have to be highlighted. any help is appreciated.

 

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<search syntax> | head 2
| spath
| fillnull value="missing or some other random string"
| table list of fields you are interested in
| stats values(*) as *
| foreach *
    [| eval mvc_<<FIELD>>=mvcount(<<FIELD>>)]
| eval max_mvc=0
| foreach mvc_*
    [| eval max_mvc=max(max_mvc,<<FIELD>>)]
| where max_mvc > 1

View solution in original post

0 Karma

sx
Engager

To be more clear, the fields could be changed by adding more KV pares, for example, the second event should have a child KV pares like this:

{

    {

         value: 25

         status: low

         category: A

         one_more_field: {

                                key: value

                         }

   }

}

And I want this extra KV pare to be highlighted as well.

0 Karma

sx
Engager
I think it's a common requirement in our daily operation, no body ever encounter such scenario?
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

<search syntax> | head 2
| spath
| fillnull value="missing or some other random string"
| table list of fields you are interested in
| stats values(*) as *
| foreach *
    [| eval mvc_<<FIELD>>=mvcount(<<FIELD>>)]
| eval max_mvc=0
| foreach mvc_*
    [| eval max_mvc=max(max_mvc,<<FIELD>>)]
| where max_mvc > 1
0 Karma

sx
Engager
it helps, no the exact what I want, but it does work. thank you so much.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...