Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How match the two different search results

james_n
Path Finder
‎07-15-2020 10:22 AM

Hi, 

how to compare search1 results with search2 and list out how many matched and not matched.
EX: search1: index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job |table Job
search2:  index=** sourcetype=** |rename JOBS AS Job |dedup Job |table Job

sample data from search1:

Jobs

xxx

yyy

zzz

aaa

sample data from search2:

Jobs

aaa

bbb

ccc

ddd

xxx

ttt

Expected sample output:
search1 is returning 100 jobs and search2 is returning 200 jobs, we need to list out the jobs those are not matching search1 with search2
for example: out of 100 jobs if 40 matched with search2 remaining 60 not matched jobs list in search1 

Output:

Jobs

bbb

ccc

ddd

ttt

Tried |set diff command but not worked, Please help. Thanks in advance.
       

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-15-2020 12:43 PM

Try a subsearch

index=** sourcetype=** NOT [ index=test sourcetype=sample | rex "type=(?<Job>.*) " |dedup Job | rename Job as JOBS | fields JOBS | format ]
| rename JOBS AS Job 
| dedup Job 
| table Job

This search looks for events in index ** which are not in index test.  I changed the field name in the subsearch to match the name used in the main search. 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

james_n
Path Finder
‎07-16-2020 02:23 AM

Hi @richgalloway ,

Thanks for the quick replay, Small mistake from my side that is required output. Please find the required output.

sample results from search1:

Jobs

xxx

yyy

zzz

aaa

sample data from search2:

Jobs

aaa

bbb

ccc

ddd

xxx

ttt

Expected output:

Jobs:

yyy

zzz

Please help me, Thanks in advance.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-16-2020 06:21 AM

That changes things a bit..

index=test sourcetype=sample 
| rex "type=(?<Job>.*) " 
| dedup Job
| search NOT [ index=** sourcetype=** | rename JOBS AS Job | dedup Job | fields Job | format ] 
| table Job

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...