{"id":13862,"date":"2020-06-10T15:57:10","date_gmt":"2020-06-10T15:57:10","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=13862"},"modified":"2020-06-10T15:57:10","modified_gmt":"2020-06-10T15:57:10","slug":"answer-by-warren-for-delta-between-two-splunk-search-results","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=13862","title":{"rendered":"Answer by warren for Delta between two Splunk search results"},"content":{"rendered":"<p>You can do this without a <code>join<\/code> like this:<\/p>\n<pre><code>index=\"xyz-index\" userId=*\n| rename attributes.privateGroups as privateGroups attributes.publicGroups as publicGroups\n<\/code><\/pre>\n<p>Make sure the <code>privateGroups<\/code> and <code>publicGroups<\/code> fields exist in all events<\/p>\n<pre><code>| fillnull value=\"-\" privateGroups publicGroups\n<\/code><\/pre>\n<p>Because we know fields with &#8220;-&#8221; in them were filled with <code>fillnull<\/code>:<\/p>\n<pre><code>| eval both=if(privateGroups!=\"-\" AND publicGroups!=\"-\",1,0)\n| eval inPrivate=if(privateGroups!=\"-\",1,0)\n| eval inPublic=if(publicGroups!=\"-\",1,0)\n<\/code><\/pre>\n<p>Ensure there is only one event per &#8220;type&#8221; (public-vs-private-vs-both) with <code>userId<\/code>:<\/p>\n<pre><code>| stats count by userId both inPrivate inPublic\n<\/code><\/pre>\n<p>Lastly, give a report of userIds that are in both, just public, and just public:<\/p>\n<pre><code>| stats sum(both) as both_count sum(inPrivate) as private_count sum(inPublic) as public_count by userId\n<\/code><\/pre>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/62297606\/delta-between-two-splunk-search-results\/62307259#62307259<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>You can do this without a join like this: index=&#8221;xyz-index&#8221; userId=* | rename attributes.privateGroups as privateGroups attributes.publicGroups as publicGroups Make sure the privateGroups and publicGroups fields exist in all events | fillnull value=&#8221;-&#8221; privateGroups publicGroups Because we know fields with &#8220;-&#8221; in them were filled with fillnull: | eval both=if(privateGroups!=&#8221;-&#8221; AND publicGroups!=&#8221;-&#8220;,1,0) | eval inPrivate=if(privateGroups!=&#8221;-&#8220;,1,0) &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=13862\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for Delta between two Splunk search results<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-13862","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/13862","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13862"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/13862\/revisions"}],"predecessor-version":[{"id":13863,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/13862\/revisions\/13863"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13862"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=13862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}