Solved: Re: request comparison

gitingua · ‎10-14-2021

Hello. How can two files be compared for identity ?

file1.csv:

username	id_user
Jonh	123

file2.csv

username	id_user
Jonh	124

How to write a request correctly. To check if id_user is identical for one user in different files. Compare two files with the same ID or not

if file1.csv.id_user != file2.csv.id_user

There was a message that the id is different

ITWhisperer · ‎10-14-2021

| inputlookup file1.csv
| rename id_user as id_user1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 by username
| where id_user1 != id_user2

View solution in original post

techiesid · ‎10-17-2021

@gitingua ,

What about the below solution,

|  set diff 
    [| inputlookup file1.csv] 
    [| inputlookup file2.csv]
| stats values(group), values(id_user) by user

Sid

ITWhisperer · ‎10-14-2021

| inputlookup file1.csv
| rename id_user as id_user1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 by username
| where id_user1 != id_user2

gitingua · ‎10-17-2021

@ITWhisperer

But how to make the check on two attributes.

but how to do a check on two attributes. if both are not alike

when I write a check for two attributes using "or". that is, one thing is similar, nothing comes out of my output. And if both are not alike, then everything turns out right

If

file1.csv

user	id_user	group
John	123	56

file2.csv

user	id_user	group
John	124	56

| inputlookup file1.csv
| rename id_user as id_user1
| rename group as group1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 values(group1) as group1 values(group) as group2 by username
| where id_user1 != id_user2 or group1 != group2

output:

user	id_user1	id_user2	group1	group2
John	123	124	56	56

but need:

user	id_user1	id_user2	group
John	123	124	56

ITWhisperer · ‎10-17-2021

| makeresults
| eval user="John", id_user=123, group=56
| rename id_user as id_user1
| rename group as group1
| append 
    [| makeresults
    | eval user="John", id_user=124, group=56]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 values(group1) as group1 values(group) as group2 by user
| where id_user1 != id_user2 or group1 != group2
| eval group=if(group1=group2,group1,null())
| eval group1=if(isnull(group),group1,null())
| eval group2=if(isnull(group),group2,null())

gitingua · ‎10-17-2021

@ITWhisperer Thanks my friend. but can you tell me how to correctly pull data from files using inputlookup? Thanks a lot !!

ITWhisperer · ‎10-17-2021

| inputlookup file1.csv
| rename id_user as id_user1
| rename group as group1
| append [| inputlookup file2.csv]
| stats values(id_user1) as id_user1 values(id_user) as id_user2 values(group1) as group1 values(group) as group2 by username
| where id_user1 != id_user2 or group1 != group2
| eval group=if(group1=group2,group1,null())
| eval group1=if(isnull(group),group1,null())
| eval group2=if(isnull(group),group2,null())

gitingua · ‎10-17-2021

@ITWhisperer You are the best!! Thanks

request comparison

search job inspector

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation