Splunk Search

request comparison

gitingua
Communicator

Hello. How can two files be compared for identity ?

file1.csv:

usernameid_user
Jonh123

 

file2.csv 

usernameid_user
Jonh124

 

How to write a request correctly. To check if id_user is identical for one user in different files. Compare two files with the same ID or not

if file1.csv.id_user != file2.csv.id_user 

There was a message that the id is different

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| inputlookup file1.csv
| rename id_user as id_user1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 by username
| where id_user1 != id_user2

View solution in original post

techiesid
SplunkTrust
SplunkTrust

@gitingua ,

What about the below solution,

 

|  set diff 
    [| inputlookup file1.csv] 
    [| inputlookup file2.csv]
| stats values(group), values(id_user) by user

 

Sid

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| inputlookup file1.csv
| rename id_user as id_user1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 by username
| where id_user1 != id_user2

gitingua
Communicator

@ITWhisperer 

But how to make the check on two attributes.

but how to do a check on two attributes. if both are not alike

when I write a check for two attributes using "or". that is, one thing is similar, nothing comes out of my output. And if both are not alike, then everything turns out right

If 

file1.csv

userid_usergroup
John12356

 

file2.csv 

userid_usergroup
John12456

 

| inputlookup file1.csv
| rename id_user as id_user1
| rename group as group1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 values(group1) as group1 values(group) as group2 by username
| where id_user1 != id_user2 or group1 != group2

 output:

user id_user1 id_user2group1group2
John1231245656

 

but need:

userid_user1id_user2group
John12312456
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults
| eval user="John", id_user=123, group=56
| rename id_user as id_user1
| rename group as group1
| append 
    [| makeresults
    | eval user="John", id_user=124, group=56]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 values(group1) as group1 values(group) as group2 by user
| where id_user1 != id_user2 or group1 != group2
| eval group=if(group1=group2,group1,null())
| eval group1=if(isnull(group),group1,null())
| eval group2=if(isnull(group),group2,null())
0 Karma

gitingua
Communicator

@ITWhisperer Thanks my friend. but can you tell me how to correctly pull data from files using inputlookup? Thanks a lot !!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| inputlookup file1.csv
| rename id_user as id_user1
| rename group as group1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 values(group1) as group1 values(group) as group2 by username
| where id_user1 != id_user2 or group1 != group2
| eval group=if(group1=group2,group1,null())
| eval group1=if(isnull(group),group1,null())
| eval group2=if(isnull(group),group2,null())

gitingua
Communicator

@ITWhisperer You are the best!! Thanks 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...