Jazzzzzz
Reputation: 1633
Splunk: how to select not matching data across two sourcetype
I have following data in splunk in two different sourcetypes
index="xyz" sourcetype="assets"
name
--------
SERVER01
SERVER02
SERVER03
index="xyz" sourcetype="computers"
name
--------
SERVER02
SERVER03
SERVER05
i am trying to fetch data which is not matching in both sourcetypes
name
--------
SERVER01
SERVER05
i tried doing data selection using outer join as mentioned below but seems its not working
index="xyz" sourcetype="assets"
| table name
| join type=outer name
[| search index="xyz" sourcetype="computers"
| table name]
| table name
Please suggest
Upvotes: 0
Views: 1001
Answers (1)
RichG
Reputation: 9926
The stats command can do that. Collect the servers from each sourcetype and count their number. Those with a count of 1 don't match.
index=xyz (sourcetype=assets OR sourcetype=computers)
| stats count by name
| where count = 1
| table name
Upvotes: 3
Related Questions
- Filtering splunk results using results of another splunk query
- Splunk filter one search by another
- Splunk join two query to based on result of first query
- Join two Splunk queries without predefined fields
- How to filter out events before joining datasets with stats
- Splunk query reference field in joined data
- Splunk query for matching lines that do not contain text
- Splunk query to get non matching ID from two query
- Splunk query based on the results of another query
- How to combine two queries in Splunk?