From a search I composed a table, let's call it T1, formed by two columns table name, sourcetype
Now I need to create a static, code generated table, call it T2, that contains all the expected values for the above mentioned table T1, hardcoded. 1st question: How could I?
2nd question:
As a result, I need to generate a table T3 equal to: T2 - T1, basically a logical set difference of the first field, which answer the business question "I want to know which records are missing in T1 based on T2"
I am a newbie of Splunk and its query language and I tried to play a bit with set diff and eval to create static data but I did not manage to create the logic I want at all.
Could you point me to the correct logical implementation of this task?
I do script fluently in both SQL and Python, is there any kind of concept I could reuse to become more familiar with this query language?
Stupid graphical example:
| name | sourcetype |
|---|---|
| service_1 | acpt |
| name | sourcetype |
|---|---|
| service_1 | acpt |
| service_2 | acpt |
| name | sourcetype |
|---|---|
| service_2 | acpt |
For the question 2, you could use stats command and search the field which have only one count (so nothing common). It's like a grouped by.
|stats count by name sourcetype
After you search the count=1 to have the difference
|search count=1