Splunk Search

Calculate the difference between two fields?

Abdullah
Explorer

Dears,

We have two fields in the one index, we need to compare two fields then create a new field to show only on it the difference between two fields.

Below one of example from the results from two fields:

 

current_conf field:

_Name:REQ000004543448-4614240-shrepoint

previous_conf field:

_Name:REQ000004543448-shrepoint

 

Please your support.

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

It depends on what else is consistent between your fields - in your example, you could do this

| rex field=current_conf "\-(?<diff>\d+)\-"

to extract the extra digits.

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

When you are referring to the difference between two strings, you should be more specific. For example, what would you expect to have been shown for your example?

Having said that, I suspect that it is non-trivial and not something that is supported out-of-the-box.

0 Karma

Abdullah
Explorer

Hi @ITWhisperer.

The results that I need from my example, create new field contain the deference between two fields that it is "4614240".

 

current_conf field:

_Name:REQ000004543448-4614240-shrepoint

previous_conf field:

_Name:REQ000004543448-shrepoint

 

Best Regards,

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Why not  "4614240-" or  "-4614240"?

What if your fields were "_Name:REQ000004543448-4614240-shrepoint" and "_Name:REQ000005543448-shrepoint"?

What about "_Name:REQ000004543448-4614240-shrepoint" and "_Name:REQ000004543448-4614240-shrepoint " (extra space at the end)?

What about " _Name:REQ000004543448-4614240-shrepoint" and "_Name:REQ000004543448-4614240-shrepoint" (extra space at the beginning)?

0 Karma

Abdullah
Explorer

Why not  "4614240-" or  "-4614240"?

No problem, we can show the field result with "-" in the begging or end, it is not big deal.

 

Regarding the others below questions, only need to show the deference between two fields. 

 

Best Regards,

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It kind of is a big deal. The requirement is too vague and not fully described, or it can be taken as being very specific as in you only want it applied to those exact examples you have given. The second example looks like it has two differences (the 5 instead of 4, and the extra numbers), how would you like to show that? The leading space in the fourth example means that every character position is different between the two fields. The trailing space example is identical apart from the extra space in one of the fields, does this matter, or should it be stripped before the comparison?

We humans can "easily" recognise the differences between these strings, but teaching a machine to do this is non-trivial, especially with the limited capabilities available in Splunk. It is not a tool designed for detecting these sorts of differences.

0 Karma

Abdullah
Explorer

Hi,

current_conf field:

_Name:REQ000004543448-4614240-shrepoint

previous_conf field:

_Name:REQ000004543448-shrepoint

 

Yes I understood you, we just need to know the different number between two fields, that it is "4614240" without - end and beginning. 

So can we do that or, it is not?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It depends on what else is consistent between your fields - in your example, you could do this

| rex field=current_conf "\-(?<diff>\d+)\-"

to extract the extra digits.

0 Karma

Abdullah
Explorer

Ok Mr, after extract, what is the next step.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That depends on what you are trying to achieve. The extract will give you a non-null value if the field matches the pattern, you you could filter on this

| where isnotnull(diff)
0 Karma

Abdullah
Explorer

Yes, then, please share with me the full search.

 

 

Thank you

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you have so far?

0 Karma

Abdullah
Explorer

Actually now I tried below search for find the deference between two fields that the results separated by "," not by "-", see the search and results for the fields below:

current_conf field:

_URL_Value:http://0wl0jql1h.energosberezhenie.com/*,http://post5.vkrugudruzei.ru,https://ath-365-folder-0utlook...

 

previous_conf field:

 

_URL_Value:http://0wl0jql1h.energosberezhenie.com/*,http://post5.vkrugudruzei.ru,https://ath-365-folder-0utlook...

 

Search query:

my search
| rex field=current_conf "(?<h>[^)]+)" | eval SESSION_A=split(h,",") | mvexpand SESSION_A
| rex field=previous_conf "(?<B>[^)]+)" | eval SESSION_B=split(B,",") | mvexpand SESSION_B | where isnotnull(SESSION_A) | where isnotnull(SESSION_B)
| stats count,list(SESSION_A) as SESSION_A,list(SESSION_B) as SESSION_B by current_conf previous_conf
| where SESSION_B!=SESSION_A

 

 

But the search is not work.

 

Please your support.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...