Hi
Thanks for your time. Im using splunk to parse the log.
I have two search. the columns i got from A is as below
tktnum, prcnum, type
Columns for search B is
tktnum, _time.
How may I find tktnum existed in A but not in B then print table like
tktnum(In A not B), prcnum, type
search A with tktnum, prcnum, type
| stats values(tktnum) as TKT1, values(prcnum) as PRCNUM, values(ftrectyp) as TYPE
| appendcols [search B with tktnum]
| stats values(tktnum) as TKT2 ]
| makemv TKT1
| makemv TYPE
| mvexpand TKT1
| mvexpand TYPE
| where not match(TKT2, TKT1)
| table TKT1, TYPE
I do get the tktnum which exist in A, not in B. But the problem is TYPE not match. Can anyone help on it.
The type should be corresponding to that tktnum from the original row, but now I got is different.
↧