Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare 2 lists from 2 different searches ?

utk123
Path Finder
‎10-09-2019 04:24 AM

I have 2 different searches to create 2 hosts list, and I want below from splunk search:
1. Find all hosts from 1st search from a csv.
2. Find few hosts from different 2nd search with a criteria.
3. Find any host which is in List1 but not in List2, and populate in 3rd list.

Example:
List1 from search1 - Host1, Host2, Host3, Host6, Host7
List2 from search2 - Host2, Host3, Host4, Host5
List3 should be - Host1, Host6, Host7

My current splunk search listed below is showing all non-duplicate host from List1 & List2, which is not what I want.
Currently from below search my List3 shows me - Host1, Host4, Host5, Host6, Host7

| inputlookup hostlist.csv | rename host as hostname
| append [| search index=aaa AND bbb | rename name as hostname]
| stats count by hostname | search count=1 | table hostname

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-09-2019 06:18 AM

@utk123,

Test this with your data

| inputlookup hostlist.csv | rename host as hostname|eval source="one"
| append [| search index=aaa AND bbb | rename name as hostname|eval source="two"]
| stats values(source) as source,count by hostname | where count == 1 AND source="one"
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-09-2019 06:18 AM

@utk123,

Test this with your data

| inputlookup hostlist.csv | rename host as hostname|eval source="one"
| append [| search index=aaa AND bbb | rename name as hostname|eval source="two"]
| stats values(source) as source,count by hostname | where count == 1 AND source="one"
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

utk123
Path Finder
‎10-09-2019 06:47 PM

Thanks, above solution works.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...