I just had a user want to compare lists/arrays for diff etc. Honestly I have no idea how I might compare mvfields or even events. Wondering if you can point me to a good tutorial/doc on this?
SOME USER [2:10 PM] ---- [2:10] does Splunk have any way to compare lists/arrays? [2:11] I have delimited list A and list B [2:11] is there a splunk function to diff the two? [2:11] (or alternatively, split list A and list B, load them into two mvindex-ed fields, and compare the two fields for diffs) [2:12] My Use Case: Windows logs changes to AD Group memberships, but doesn't actually tell you WAHT change was made [2:13] so I want to compare Event 1 "Here are the current group members" to Event 2's "Here are the current group members" and find what changed
Wow, this one was SUPER fun! Feast your eyes on this @alacercogitatus:
| makeresults | eval raw="a,b,c,d,e a,b,c,e,f" | makemv raw | mvexpand raw | makemv delim="," raw | eval host="matchingHost" | streamstats count AS _serial | eval after=if(_serial=1, raw, null()) | eval before=if(_serial=2, raw, null()) | fields - raw | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | selfjoin _time host | streamstats count AS _serial | multireport [| mvexpand after | where before!=after | rename after AS removed] [| mvexpand before | where before!=after | rename before AS added] | fields - before after | stats first(_time) AS _time first(host) AS host values(*) AS * BY _serial
As long as the pairs of events have the same exact timestamp, this works for any number of hosts and pairs.
set diff is clunky and I haven't found a good use case for it. There are much easier ways to compare things.
Let's just do the basic straightforward approach. put the first set in with some field marked "A" and the second set in with some field marked "B".
| inputcsv append=t mylistA.csv | table user group | eval myfield="A" | append [ | inputcsv append=t mylistA.csv | table user group | eval myfield="B"] | stats values(myfield) as myfield by user group
This gives you records which have three fields, user, group and myfield. myfield is a multivalue field, and if it has mvcount(myfield)>1 then it is in both files unchanged. If you just want to see changes then do this....
| where mvcount(myfield)=1 | eval mystatus = if(myfield="A","removed", "added")