Splunk Search

request comparison

gitingua
Communicator

Hello. How can two files be compared for identity ?

file1.csv:

usernameid_user
Jonh123

 

file2.csv 

usernameid_user
Jonh124

 

How to write a request correctly. To check if id_user is identical for one user in different files. Compare two files with the same ID or not

if file1.csv.id_user != file2.csv.id_user 

There was a message that the id is different

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| inputlookup file1.csv
| rename id_user as id_user1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 by username
| where id_user1 != id_user2

View solution in original post

techiesid
SplunkTrust
SplunkTrust

@gitingua ,

What about the below solution,

 

|  set diff 
    [| inputlookup file1.csv] 
    [| inputlookup file2.csv]
| stats values(group), values(id_user) by user

 

Sid

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| inputlookup file1.csv
| rename id_user as id_user1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 by username
| where id_user1 != id_user2

gitingua
Communicator

@ITWhisperer 

But how to make the check on two attributes.

but how to do a check on two attributes. if both are not alike

when I write a check for two attributes using "or". that is, one thing is similar, nothing comes out of my output. And if both are not alike, then everything turns out right

If 

file1.csv

userid_usergroup
John12356

 

file2.csv 

userid_usergroup
John12456

 

| inputlookup file1.csv
| rename id_user as id_user1
| rename group as group1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 values(group1) as group1 values(group) as group2 by username
| where id_user1 != id_user2 or group1 != group2

 output:

user id_user1 id_user2group1group2
John1231245656

 

but need:

userid_user1id_user2group
John12312456
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval user="John", id_user=123, group=56
| rename id_user as id_user1
| rename group as group1
| append 
    [| makeresults
    | eval user="John", id_user=124, group=56]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 values(group1) as group1 values(group) as group2 by user
| where id_user1 != id_user2 or group1 != group2
| eval group=if(group1=group2,group1,null())
| eval group1=if(isnull(group),group1,null())
| eval group2=if(isnull(group),group2,null())
0 Karma

gitingua
Communicator

@ITWhisperer Thanks my friend. but can you tell me how to correctly pull data from files using inputlookup? Thanks a lot !!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| inputlookup file1.csv
| rename id_user as id_user1
| rename group as group1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 values(group1) as group1 values(group) as group2 by username
| where id_user1 != id_user2 or group1 != group2
| eval group=if(group1=group2,group1,null())
| eval group1=if(isnull(group),group1,null())
| eval group2=if(isnull(group),group2,null())

gitingua
Communicator

@ITWhisperer You are the best!! Thanks 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...