Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Compare Values Based on Multiple Field Matches

rdhdr
Explorer
‎09-24-2024 07:29 AM

Hello, I have the following dataset. It consists of configuration parameters from multiple systems. Each system has somewhere in the neighborhood of 3000-5000 parameters, some of which will not exist in all systems. I am trying to come up with a list of unique combinations of parameters with an Matching flag which shows whether the value is identical between both systems. It should indicate a false flag if the parameter exists in either system, but not the other, or if the parameter exists in both systems but with different values.

The parameters are identified by a unique combination of SERVICE_NAME, FILE_NAME, SECTION and KEY (all four are required to be the same). And the system is identified by SID. The data look like this:

SIDSERVICE_NAMEFILE_NAMESECTIONKEYVALUE
AAAindexglobal.iniglobaltimezone_dataset123
AAAdpserverindex.inipassword policyminimal_password_length16
AAAindexindex.iniflexible_tablereclaim_interval3600
AAAdpserverglobal.iniabstract_sql_planmax_count1000000
BBBdpserverindex.inipassword policyminimal_password_length16
BBBindexindex.inipassword policyminimal_password_length25
BBBdpserverglobal.iniabstract_sql_planmax_count1000000
BBBindexindex.inimergedogcheck_interval60000

 

The data is in a dashboard, along with drop-downs to select two systems to be compared. One a user selects system AAA and system BBB, I would like the result to show:

SERVICE_NAMEFILE_NAMESECTIONKEYMatch
indexglobal.iniglobaltimezone_datasetNo
dpserverindex.inipassword policyminimal_password_lengthYes
indexindex.iniflexible_tablereclaim_intervalNo
dpserverglobal.iniabstract_sql_planmax_countYes
indexindex.inipassword policyminimal_password_lengthNo
indexindex.inimergedogcheck_intervalNo

 

I have tried many different SPL searches, but none have provided the intended result.

I would greatly appreciate any assistance or guidance.

Cheers,

David

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2024 07:42 AM 
| stats values(SID) as SID values(VALUE) as VALUE by SERVICE_NAME FILE_NAME SECTION KEY
| eval match=if(mvcount(SID) = 2 AND mvcount(VALUE) = 1,"Yes", "No")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rdhdr
Explorer
‎09-24-2024 08:09 AM

Wow, that was a lot simpler than the solutions I was trying to get working. Thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2024 07:42 AM 
| stats values(SID) as SID values(VALUE) as VALUE by SERVICE_NAME FILE_NAME SECTION KEY
| eval match=if(mvcount(SID) = 2 AND mvcount(VALUE) = 1,"Yes", "No")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...