Splunk Search

trouble with set diff

dwharam
New Member

For inventory management purposes, I have been running the below splunk search for years.  It first checks Remedy and pulls a few common fields, then compares that against actual firewalls that are actively sending logs into splunk.  The output provided a list of firewalls that sends active logs but not in inventory management, and a list of devices in the inventory database which are not sending any active logs.  

|set diff [search source=remedyprod  TYPE=NETWORK CATEGORY=HARDWARE ITEM=FIREWALL Status="Deployed" CONFIGURATION=Production  | dedup CI_Name| table CI_Name | rename CI_Name as Remedy_CI_Name ] [search index=palo source=palo_alto sourcetype=pan:system| dedup dvc_host | table dvc_host | rename dvc_host as PA_Host_Name]

 

Today, the inventory database is only accessible via an inputlookup.  I tried modifying the above to:

|set diff [ |inputlookup ci_netgear  | search source=remedyprod MANAGINGUNIT=ITSNI TYPE=NETWORK CATEGORY=HARDWARE ITEM=FIREWALL Status="Deployed" CONFIGURATION=Production  Manufacturer="Palo Alto Networks"| dedup CI_Name| table CI_Name | rename CI_Name as Remedy_CI_Name ] [search index=pan_logs_traffic source=palo_alto sourcetype=pan:system| dedup dvc_host | table dvc_host | rename dvc_host as PA_Host_Name]

 

The result shows the full results of each search.  I get a column called Remedy_CI_Name with every firewall and another column called PA_host_name with every firewall.  It's like the "set diff" isn't doing anything at all.

any guesses?

 

thanks

d.

 

 

Labels (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!