Hi
Thanks for your time. Im using splunk to parse the log.
I have two search. the columns i got from A is as below
tktnum, prcnum, type
Columns for search B is
tktnum, _time.
how may i find tktnum existed in A but not in B then print table like
tktnum(In A not B), prcnum, type
search A with tktnum, prcnum, type
| stats values(tktnum) as TKT1, values(prcnum) as PRCNUM, values(ftrectyp) as TYPE
| appendcols [search B with tktnum]
| stats values(tktnum) as TKT2 ]
| makemv TKT1
| makemv TYPE
| mvexpand TKT1
| mvexpand TYPE
| where not match(TKT2, TKT1)
| table TKT1, TYPE
i do get the tktnum which exist in A not in B. But the problem is TYPE not match. Can anyone help on it.
The type should corresponding to that tktnum from the original row, but now i got is different.
↧