Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to compare two events in one search to highlight what's changed

sx
Engager
‎08-18-2021 05:44 AM

Hi, I am trying to compare the between two events (json format), say, I can pipe with "head 2" to output only two events and then compare them and hight light what's changed, something like this:

<search syntax> | head 2

event 1

    {

        value:  20

         status: high

         category: A

   }

event 2

    {

         value: 25

         status: low

         category: A

   }

Output after compare looks like this or anything that can highlight the changes:

 changed         origin                new

value                  25                     20

status               low                     high

 

category is unchanged, so won't have to be highlighted. any help is appreciated.

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-20-2021 12:51 AM

Try something like this

<search syntax> | head 2
| spath
| fillnull value="missing or some other random string"
| table list of fields you are interested in
| stats values(*) as *
| foreach *
    [| eval mvc_<<FIELD>>=mvcount(<<FIELD>>)]
| eval max_mvc=0
| foreach mvc_*
    [| eval max_mvc=max(max_mvc,<<FIELD>>)]
| where max_mvc > 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sx
Engager
‎08-18-2021 05:51 AM

To be more clear, the fields could be changed by adding more KV pares, for example, the second event should have a child KV pares like this:

{

    {

         value: 25

         status: low

         category: A

         one_more_field: {

                                key: value

                         }

   }

}

And I want this extra KV pare to be highlighted as well.

0 Karma
Reply
Solved! Jump to solution

sx
Engager
‎08-19-2021 05:23 PM
I think it's a common requirement in our daily operation, no body ever encounter such scenario?
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-20-2021 12:51 AM

Try something like this

<search syntax> | head 2
| spath
| fillnull value="missing or some other random string"
| table list of fields you are interested in
| stats values(*) as *
| foreach *
    [| eval mvc_<<FIELD>>=mvcount(<<FIELD>>)]
| eval max_mvc=0
| foreach mvc_*
    [| eval max_mvc=max(max_mvc,<<FIELD>>)]
| where max_mvc > 1
0 Karma
Reply
Solved! Jump to solution

sx
Engager
‎08-22-2021 06:24 PM
it helps, no the exact what I want, but it does work. thank you so much.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...
Top