{"id":60860,"date":"2022-07-22T14:27:34","date_gmt":"2022-07-22T14:27:34","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=60860"},"modified":"2022-07-22T14:27:34","modified_gmt":"2022-07-22T14:27:34","slug":"answer-by-warren-for-comparing-search-results-from-two-separate-searches","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=60860","title":{"rendered":"Answer by warren for Comparing search results from two separate searches"},"content":{"rendered":"<p>What you&#8217;re describing can be done either with <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/join\" rel=\"nofollow noreferrer\"><code>join<\/code><\/a> (the more &quot;obvious&quot; path), or <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/stats\" rel=\"nofollow noreferrer\"><code>stats<\/code><\/a>:<\/p>\n<h5><code>join<\/code>:<\/h5>\n<pre><code>index=ndx1 sourcetype=srctp1 authresult=* uniquehash=* times=* uniqueid=&quot;1&quot;\n| stats count by uniquehash times\n| fields - count\n| rename times as unique1\n| join uniquehash\n    [| search index=ndx1 sourcetype=srctp1 authresult=* uniquehash=* times=* uniqueid=&quot;2&quot;\n    | stats count by uniquehash times \n    | fields - count\n    | rename times as unique2 ]\n<\/code><\/pre>\n<p>Note, using <code>join<\/code> is <em>generally<\/em> not suggested &#8211; the innermost search will be capped at 60s run time or 50k rows returned (so run the fastest\/shortest search innermost)<\/p>\n<p>Additionally, this will get very cumbersome if you need to do more than a couple &quot;uniqueid&quot; comparisons<\/p>\n<h5><code>stats<\/code>:<\/h5>\n<pre><code>index=ndx sourcetype=srctp uniquehash=* times=* uniqueid=*\n| eval idkt=uniqueid+&quot;,&quot;+times\n| stats values(idkt) as idkt by uniquehash\n| where mvcount(idkt)&gt;1\n| mvexpand idkt\n| rex field=idkt &quot;(?&lt;uniqueid&gt;\\S+)\\s(?&lt;times&gt;.+)&quot;\n| table uniquehash uniqueid times\n<\/code><\/pre>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/44939134\/comparing-search-results-from-two-separate-searches\/73081830#73081830<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What you&#8217;re describing can be done either with join (the more &quot;obvious&quot; path), or stats: join: index=ndx1 sourcetype=srctp1 authresult=* uniquehash=* times=* uniqueid=&quot;1&quot; | stats count by uniquehash times | fields &#8211; count | rename times as unique1 | join uniquehash [| search index=ndx1 sourcetype=srctp1 authresult=* uniquehash=* times=* uniqueid=&quot;2&quot; | stats count by uniquehash times | &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=60860\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for Comparing search results from two separate searches<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-60860","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/60860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60860"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/60860\/revisions"}],"predecessor-version":[{"id":60861,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/60860\/revisions\/60861"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60860"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=60860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}