Splunk Search

trouble with set diff

dwharam
New Member

For inventory management purposes, I have been running the below splunk search for years.  It first checks Remedy and pulls a few common fields, then compares that against actual firewalls that are actively sending logs into splunk.  The output provided a list of firewalls that sends active logs but not in inventory management, and a list of devices in the inventory database which are not sending any active logs.  

|set diff [search source=remedyprod  TYPE=NETWORK CATEGORY=HARDWARE ITEM=FIREWALL Status="Deployed" CONFIGURATION=Production  | dedup CI_Name| table CI_Name | rename CI_Name as Remedy_CI_Name ] [search index=palo source=palo_alto sourcetype=pan:system| dedup dvc_host | table dvc_host | rename dvc_host as PA_Host_Name]

 

Today, the inventory database is only accessible via an inputlookup.  I tried modifying the above to:

|set diff [ |inputlookup ci_netgear  | search source=remedyprod MANAGINGUNIT=ITSNI TYPE=NETWORK CATEGORY=HARDWARE ITEM=FIREWALL Status="Deployed" CONFIGURATION=Production  Manufacturer="Palo Alto Networks"| dedup CI_Name| table CI_Name | rename CI_Name as Remedy_CI_Name ] [search index=pan_logs_traffic source=palo_alto sourcetype=pan:system| dedup dvc_host | table dvc_host | rename dvc_host as PA_Host_Name]

 

The result shows the full results of each search.  I get a column called Remedy_CI_Name with every firewall and another column called PA_host_name with every firewall.  It's like the "set diff" isn't doing anything at all.

any guesses?

 

thanks

d.

 

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...