Compare data between two sourcetype

VandanaBansal · ‎03-12-2021

I have two different sourcetypes src_a, src_b.

src_a: This is a CSV uploaded from Server (has expected results for each event) and data has not changes since october so there was no upload after that

src_b: we have data for daily result count for each event

I want to compare src_a (last updated data received) to src_b (last 3 days) and show variance. Please help

VandanaBansal · ‎03-12-2021

SO what I have is Expected Link Clicks count (this does not change) and Actual Link Clicks (Daily Data). It has common fields Link Name, Activity, count

richgalloway · ‎03-13-2021

Start with something like this

(index=foo source=src_a) OR (index=bar source=src_b)
| stats values(*) as * by Link Name, Activity, count

---
If this reply helps you, Karma would be appreciated.

VandanaBansal · ‎03-15-2021

Hi

My requirement is:

I have two source types. First Source type data was uploaded 1 week back.

I have another source type which gets data on daily basis. I am using Time Range filter for 3 days. I want to setup alert while comparing data.

I need to find out how i can get data from first source type which was last uploaded (can be 1 week back or 1 month back). With last 3 days data of second source type.

Thank you for helping me on this!

richgalloway · ‎03-12-2021

Tell us more about the two sourcetypes. Are they similar in structure? Do they share any field names or values? What do you mean by "show variance"? Does it really make sense to compare October to 3 days ago?

---
If this reply helps you, Karma would be appreciated.

Compare data between two sourcetype

field extraction

other

subsearch

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector