In the logs I will see event with text CanonicalItemLoggingService and id=3632735.
Similarly in the logs, I may or may not have events for 3632735 with text TargetItemLoggingService and canonicalItem=3632735 and action=17243
I want to write a splunk query that will display events which are present in CanonicalItemLoggingService but not in TargetItemLoggingSErvice.
Below query that I wrote it gives me the results when the event is present in both CanonicalItemLoggingService and TargetItemLoggingService.
host="xyz", sourcetype=dh, "[c.h.d.l.i.canonicalItemLoggingService]"
| fields traceId, batchId, id
| rename id as canonicalItem
| table traceId, batchId, canonicalItem
| append
[ search host="xyz*", sourcetype=dh, "[c.h.d.l.i.TargetItemLoggingService]"
| fields canonicalItem, id , action
| rename id as pubId
| table canonicalItem, pubId, action
| fillnull pubId value=NULL
| stats list(pubId) as pubId, list(action) as action by canonicalItem ]
| stats list(traceId) as traceId, list(batchId) as batchId, list(pubId) as pubId, list(action) as action by canonicalItem
| table traceId, batchId, canonicalItem, pubId, action
| where canonicalItem="3632735"
The result appears as below
traceId batchId canonicalItem pubId action
d7b 449996 3632735 29664000 . 17243
29664035 . 17243
29663967 . 17243
I want the list show up as below when there is no matching TargetItemLoggingService event
traceId batchId canonicalItem pubId action
d7b 449996 3632735
... View more