Splunk Search

How to Compare Values Based on Multiple Field Matches

rdhdr
Explorer

Hello, I have the following dataset. It consists of configuration parameters from multiple systems. Each system has somewhere in the neighborhood of 3000-5000 parameters, some of which will not exist in all systems. I am trying to come up with a list of unique combinations of parameters with an Matching flag which shows whether the value is identical between both systems. It should indicate a false flag if the parameter exists in either system, but not the other, or if the parameter exists in both systems but with different values.

The parameters are identified by a unique combination of SERVICE_NAME, FILE_NAME, SECTION and KEY (all four are required to be the same). And the system is identified by SID. The data look like this:

SIDSERVICE_NAMEFILE_NAMESECTIONKEYVALUE
AAAindexglobal.iniglobaltimezone_dataset123
AAAdpserverindex.inipassword policyminimal_password_length16
AAAindexindex.iniflexible_tablereclaim_interval3600
AAAdpserverglobal.iniabstract_sql_planmax_count1000000
BBBdpserverindex.inipassword policyminimal_password_length16
BBBindexindex.inipassword policyminimal_password_length25
BBBdpserverglobal.iniabstract_sql_planmax_count1000000
BBBindexindex.inimergedogcheck_interval60000

 

The data is in a dashboard, along with drop-downs to select two systems to be compared. One a user selects system AAA and system BBB, I would like the result to show:

SERVICE_NAMEFILE_NAMESECTIONKEYMatch
indexglobal.iniglobaltimezone_datasetNo
dpserverindex.inipassword policyminimal_password_lengthYes
indexindex.iniflexible_tablereclaim_intervalNo
dpserverglobal.iniabstract_sql_planmax_countYes
indexindex.inipassword policyminimal_password_lengthNo
indexindex.inimergedogcheck_intervalNo

 

I have tried many different SPL searches, but none have provided the intended result.

I would greatly appreciate any assistance or guidance.

Cheers,

David

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| stats values(SID) as SID values(VALUE) as VALUE by SERVICE_NAME FILE_NAME SECTION KEY
| eval match=if(mvcount(SID) = 2 AND mvcount(VALUE) = 1,"Yes", "No")

View solution in original post

0 Karma

rdhdr
Explorer

Wow, that was a lot simpler than the solutions I was trying to get working. Thank you!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| stats values(SID) as SID values(VALUE) as VALUE by SERVICE_NAME FILE_NAME SECTION KEY
| eval match=if(mvcount(SID) = 2 AND mvcount(VALUE) = 1,"Yes", "No")
0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...