https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503467#M85764 <P>HI rohankin,<BR /> I was answering to your previous comment, but now I cannot see it, probably you deleted it, is it correct?</P> <P>Anyway you can filter results with a simple option in the first row</P> <PRE><CODE>| inputlookup Dataset1.csv WHERE "Application Name"=* </CODE></PRE> <P>Ciao.<BR /> Giuseppe</P> Mon, 14 Oct 2019 12:49:41 GMT gcusello 2019-10-14T12:49:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503464#M85761 <P>Hi,<BR /> I am new to Splunk and am stuck at the this problem. To elaborate: </P> <P>I have attached example of datasets and the desired result table that I am working with here. <BR /> Datasets that I am using are KVStore lookups. </P> <P>But basically I am trying to connect dataset 1 to dataset 2 bringing over attributes (Flag A,B &amp; C) based on condition. <BR /> Condition is applied to column "Application Name" and there is many to one mapping which is confusing me. </P> <P>Any help is greatly appreciated ! </P> <P>(PS: Key is to have value of Flag= True in the output if it is true for any of the application mapped to that device name)</P> <UL> <LI>Rohan <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7824i3E7CB9D951581FF0/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></LI> </UL> Sat, 12 Oct 2019 18:10:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503464#M85761 rohankin 2019-10-12T18:10:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503465#M85762 <P>HI rohankin,<BR /> try something like this:</P> <PRE><CODE>| inputlookup Dataset1.csv | rename "Application Name" AS ApplicationName | makemv delim="," ApplicationName | mvexpand ApplicationName | lookup Dataset2.csv "Application Name" AS ApplicationName OUTPUT Flag-A Flag-B Flag-C | stats values(ApplicationName) AS ApplicationName values(Flag-A) AS Flag-A values(Flag-B) AS Flag-B values(Flag-C) AS Flag-C BY "Device name" | rename ApplicationName AS "Application Name" </CODE></PRE> <P>If possible, avoid spaces in field names!</P> <P>Ciao.<BR /> Giuseppe</P> Sun, 13 Oct 2019 11:06:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503465#M85762 gcusello 2019-10-13T11:06:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503466#M85763 <P>Thanks for the quick reply !!!!! </P> <P>Did some work and as it turns out "Application Name" field has NULLs which might be affecting the results. And number do add up.</P> <P>So, dataset 1 has 9959 records that do not have NULL in it and final results after using your query have 9959 records so I guess it is excluding those which do not have any value in "Application Name" field. </P> <P>Any way we can handle those NULL values ? Those devices that have nothing "Application Name" field should just get all the flags as "False" </P> Mon, 14 Oct 2019 12:40:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503466#M85763 rohankin 2019-10-14T12:40:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503467#M85764 <P>HI rohankin,<BR /> I was answering to your previous comment, but now I cannot see it, probably you deleted it, is it correct?</P> <P>Anyway you can filter results with a simple option in the first row</P> <PRE><CODE>| inputlookup Dataset1.csv WHERE "Application Name"=* </CODE></PRE> <P>Ciao.<BR /> Giuseppe</P> Mon, 14 Oct 2019 12:49:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503467#M85764 gcusello 2019-10-14T12:49:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503468#M85765 <P>Hi Giuseppe,</P> <P>Ya. Deleted the comment after I realized the mix-up with the NULL values. I thought about using * as you have stated but the problem is I don't want to limit results only to the devices that have the "Application Name ".</P> <P>Rather for devices that do not have anything in "Application Name" , I would want to display them in the output with all three flags set to "False". </P> <P>Meaning, the final output should have all the 27,223 records from Dataset 1. <BR /> Out of which 9959 records will have flag values based on "Application Name" field while remaining will just have "False" flags as there is nothing in "Application Name" field in dataset 1 for those devices.</P> <P>Does that make sense ? </P> <UL> <LI>Rohan </LI> </UL> Mon, 14 Oct 2019 13:09:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503468#M85765 rohankin 2019-10-14T13:09:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503469#M85766 <P>Hi gcusello,<BR /> Ya. I deleted the the comments after realizing the mix-up wit the NULL values but to answer you , I did try using Application Name"=*. But I dont want to exclude any of the devices that have NULL values in "Application Name" field in dataset 1.</P> <P>For ex. <BR /> Dataset 1(Devices): Number of records: 27,223 </P> <P>Dataset 2(Applications): Number of records:4,919&nbsp;</P> <P>Desired Output: Expected number of results:27,223 <BR /> where 9959 records will have Flag values based match between Dataset 1 and Dataset 2(Your initial query is doing this)</P> <P>and </P> <P>remaining records (with "Application Name" NULL in dataset 1) will have all the flags set to False. </P> <P>I feel adding "Application Name"=* will only keep the rows from dataset 1 that has values in <BR /> "Application Name" which I dont want to do. I want to keep all the 27,223 records in the output. </P> Mon, 14 Oct 2019 13:22:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503469#M85766 rohankin 2019-10-14T13:22:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503470#M85767 <P>HI rohankin,<BR /> to add also the empty "Application Name", use this command:<BR /> | eval Flag-A=if(isnull("Application Name"),"False",Flag-A), Flag-B=if(isnull("Application Name"),"False",Flag-B), Flag-C=if(isnull("Application Name"),"False",Flag-C)<BR /> Ciao.<BR /> Giuseppe</P> Mon, 14 Oct 2019 14:43:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503470#M85767 gcusello 2019-10-14T14:43:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503471#M85768 <P>Thanks Gcusello ! that worked like a charm. I will have to do some extra work on the data though as it has many duplicates, NULLs and garbage data. </P> Thu, 24 Oct 2019 12:47:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503471#M85768 rohankin 2019-10-24T12:47:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503472#M85769 <P>Good work and happy splunking!<BR /> If this answer solved your problem, please accept and/ot upvote it.</P> <P>Ciao and next time!<BR /> Giuseppe</P> Thu, 24 Oct 2019 12:52:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-dynamically-based-on-string-match-across-two/m-p/503472#M85769 gcusello 2019-10-24T12:52:58Z