×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
nathg123
Loves-to-Learn Lots
Member since: ‎07-01-2021
‎09-21-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-01-2021
View All

Re: How to efficiently show the difference between...

by in Splunk Search
‎07-01-2021 11:24 PM
‎07-01-2021 11:24 PM
@kamlesh_vaghela  I have the field "Combiner" within event_simpleName=NeighborListIP4 I have the field "MAC" within event_simpleName=SensorHeartbeat Both fields contains MAC address's, I want to output what's in Combiner but not in MAC. However event_simpleName=NeighborListIP4 also has the field MAC, which I want to completely disregard. Sorry its difficult to explain, I hope this clears it up! event_simpleName=NeighborListIP4 Combiner event_simpleName=SensorHeartbeat MAC   1 4 Give me value of Combiner 4 4 Don't give me the value 5 7 Give me value of Combiner   Add tags ... View more

How to efficiently show the difference between two...

by in Splunk Search
‎07-01-2021 10:44 PM
‎07-01-2021 10:44 PM
Hey All, Here is my search index=main event_simpleName=NeighborListIP4 OR event_simpleName=SensorHeartbeat | rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;" | rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;" | rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;" | rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC4>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC5>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;" | rex field=NeighborList "(?<MAC1>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC2>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC3>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC4>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC5>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;.*?(?<MAC6>.................)\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|0\|.*;" | eval Combiner = mvappend('MAC1', 'MAC2', 'MAC3', 'MAC4', 'MAC5', 'MAC6') | mvexpand Combiner | dedup Combiner | table Combiner I want to show what is in the Combiner field but not present within the MAC field only inside event_simpleName=SensorHeartbeat MAC=* However both event_simpleName=NeighborListIP4 and event_simpleName=SensorHeartbeat contain the field name MAC. Not sure what is the most efficient way of doing this is, I was attempting to use diff command however no luck. Any help would be much appreciated! Thanks ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-21-2021 08:54 AM