https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468143#M80616 <P>thanks even if the search is very long</P> Wed, 30 Oct 2019 13:38:55 GMT jip31 2019-10-30T13:38:55Z https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468139#M80612 <P>Hi,<BR /> I need to compare the field host of my CSV file with the field host of my index.<BR /> I used the search below but I have no results.<BR /> What is wrong, please!</P> <PRE><CODE>| inputlookup test.csv | lookup test.csv HOSTNAME as host output SITE STATUS | join host [ search index=tutu] | stats values(SITE) as SITE, values(STATUS) as STATUS by host </CODE></PRE> Wed, 30 Oct 2019 10:40:36 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468139#M80612 jip31 2019-10-30T10:40:36Z https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468140#M80613 <P>This is doing a join on an entire index which is unnecessary. Here is how you want to do it.</P> <PRE><CODE>index=tutu [| inputlookup test.csv | rename HOSTNAME as host | fields host] | lookup test.csv HOSTNAME as host output SITE STATUS | stats values(SITE) as SITE, values(STATUS) as STATUS by host </CODE></PRE> <P>line 1 is fetching data from your index tutu<BR /> line 2-4 is a subquery which filters your data to only those hosts present in the file<BR /> line 5 is then doing a lookup and fetching the site and status and line 6 is your stats which is summarizing these</P> <P>Hope this helps.<BR /> Cheers</P> Wed, 30 Oct 2019 11:20:17 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468140#M80613 arjunpkishore5 2019-10-30T11:20:17Z https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468141#M80614 <P>@jip31</P> <P>Can you please share your expected output?<BR /> Meanwhile try by replacing lookup command with below one. </P> <P><CODE>| lookup test.csv HOSTNAME as host OUTPUTNEW HOSTNAME as host,SITE, STATUS</CODE></P> Wed, 30 Oct 2019 11:22:03 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468141#M80614 kamlesh_vaghela 2019-10-30T11:22:03Z https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468142#M80615 <P>Hi,</P> <P>Please try below query.</P> <PRE><CODE>index=tutu | stats count by host | fields - count | inputlookup test2.csv append=t | eval host=lower(host) | stats count, values(SITE) as SITE, values(STATUS) as STATUS by host </CODE></PRE> <P>If you want to see only those host which are matching with lookup only then you can try below query.</P> <PRE><CODE>index=tutu | stats count by host | fields - count | lookup test2.csv host OUTPUT </CODE></PRE> Wed, 30 Oct 2019 11:26:01 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468142#M80615 harsmarvania57 2019-10-30T11:26:01Z https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468143#M80616 <P>thanks even if the search is very long</P> Wed, 30 Oct 2019 13:38:55 GMT https://community.splunk.com/t5/Getting-Data-In/Need-help-to-compare-a-CSV-file-with-an-index/m-p/468143#M80616 jip31 2019-10-30T13:38:55Z