Hi,
how to compare search1 results with search2 and list out how many matched and not matched.
EX: search1: index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job |table Job
search2: index=** sourcetype=** |rename JOBS AS Job |dedup Job |table Job
sample data from search1:
Jobs
xxx
yyy
zzz
aaa
sample data from search2:
Jobs
aaa
bbb
ccc
ddd
xxx
ttt
Expected sample output:
search1 is returning 100 jobs and search2 is returning 200 jobs, we need to list out the jobs those are not matching search1 with search2
for example: out of 100 jobs if 40 matched with search2 remaining 60 not matched jobs list in search1
Output:
Jobs
bbb
ccc
ddd
ttt
Tried |set diff command but not worked, Please help. Thanks in advance.
Try a subsearch
index=** sourcetype=** NOT [ index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job | rename Job as JOBS | fields JOBS | format ]
| rename JOBS AS Job
| dedup Job
| table Job
This search looks for events in index ** which are not in index test. I changed the field name in the subsearch to match the name used in the main search.
Hi @richgalloway ,
Thanks for the quick replay, Small mistake from my side that is required output. Please find the required output.
sample results from search1:
Jobs
xxx
yyy
zzz
aaa
sample data from search2:
Jobs
aaa
bbb
ccc
ddd
xxx
ttt
Expected output:
Jobs:
yyy
zzz
Please help me, Thanks in advance.
That changes things a bit..
index=test sourcetype=sample
| rex "type=(?<Job>.*) "
| dedup Job
| search NOT [ index=** sourcetype=** | rename JOBS AS Job | dedup Job | fields Job | format ]
| table Job