https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648928#M9599 <P>Thankyou <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;, it's working as expected. Appreciated your time and support</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Satheesh</P> Sun, 02 Jul 2023 07:19:51 GMT Satheesh_red 2023-07-02T07:19:51Z https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648584#M9582 <P>Hi,</P><P>The lookup field values must match the field values returned by the query, and the results must be shown as yes/no depending on whether the match happens. but we are unable to match and are unable to publish all of the information from the lookup fields in the results. Please assist.</P><P>My lookup file:-</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Satheesh_red_0-1687971460236.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26062iD6094A8EBF853627/image-size/medium?v=v2&amp;px=400" role="button" title="Satheesh_red_0-1687971460236.png" alt="Satheesh_red_0-1687971460236.png" /></span></P><P>My query:-<BR />index = * sourcetype=* host=* | rex field=source "\/u02\/logs\/patch_(?&lt;domain_name&gt;.+).log"| rex field=_raw max_match=0 "\s(?&lt;Patch_num&gt;[^ ]+);" | dedup host | mvexpand Patch_num | lookup soa_nonprod_Q_patches.csv Patch_num | table domain_name host Patch_num patchlist | eval match_status=if(match(Patch_num,patchlist),"Yes","No")<BR />| table domain_name host Patch_num match_status</P><P>&nbsp;</P><P>Result output:-</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Satheesh_red_1-1687972152290.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26063iF38DCAB00C22615A/image-size/medium?v=v2&amp;px=400" role="button" title="Satheesh_red_1-1687972152290.png" alt="Satheesh_red_1-1687972152290.png" /></span></P><P>&nbsp;</P><P>18387355 value is missing in the Patch_num output and it should be 'No'&nbsp; in matching_status field as thsi value is not available in the Search result field.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,<BR />Satheesh&nbsp;</P> Wed, 28 Jun 2023 17:14:48 GMT https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648584#M9582 Satheesh_red 2023-06-28T17:14:48Z https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648596#M9583 <P>Rather than looking up the patch_num, you could set a field to 2, append the .csv with the same field set to 1, and then sum the field by patch_num using eventstats. Where the sum is 1, the patch_num only exists in the csv.</P> Wed, 28 Jun 2023 20:20:45 GMT https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648596#M9583 ITWhisperer 2023-06-28T20:20:45Z https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648609#M9584 <P>Thankyou for your reply <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>Would please share me the sample/reference syntax will be really helpful.</P><P>Thankyou for understanding.</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Satheesh</P> Thu, 29 Jun 2023 01:50:12 GMT https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648609#M9584 Satheesh_red 2023-06-29T01:50:12Z https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648616#M9586 <P>Try something like this</P><LI-CODE lang="markup">index = * sourcetype=* host=* | rex field=source "\/u02\/logs\/patch_(?&lt;domain_name&gt;.+).log" | rex field=_raw max_match=0 "\s(?&lt;Patch_num&gt;[^ ]+);" | dedup host | mvexpand Patch_num | eval from=2 | append [ | inputlookup soa_nonprod_Q_patches.csv | eval from=1] | eventstats sum(from) as from by Patch_num | where isnotnull(domain_name) OR from=1 | eval match_status=case(from==1,"Not in events",from%2==0,"Not in list",1==1,"In events and list") | table domain_name host Patch_num match_status</LI-CODE> Thu, 29 Jun 2023 05:25:46 GMT https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648616#M9586 ITWhisperer 2023-06-29T05:25:46Z https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648685#M9590 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>While performing more validations, I noticed an issue.</P><P>When I put host=* it's not giving accurate results, and if I remove host=* and checking with index=abc and source type=xyz also isn't giving correct results, any reason? The command is operating just fine with just one host every time, meaning each time we have to pass against with one host.</P><P>index=abc and source type=xyz host=abc - working fine</P><P>index=abc and source type=xyz host=* - not working</P><P>index=abc and source type=xyz - not working.</P><P>Kindly suggest.</P><P>&nbsp;</P><P>Regards,<BR />Satheesh&nbsp;</P> Thu, 29 Jun 2023 16:46:44 GMT https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648685#M9590 Satheesh_red 2023-06-29T16:46:44Z https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648713#M9591 <P>Sounds like an issue with your data. You haven't provided enough detail as to why some hosts are not working.</P> Thu, 29 Jun 2023 21:01:38 GMT https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648713#M9591 ITWhisperer 2023-06-29T21:01:38Z https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648729#M9593 <P>My apologies <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>I'm looking for, matching case of Patch_num in the events for each and every host that are existed in lookup list.</P><P>Ex:- if lookup list is having 25 patch numbers row list and host A Patch_num resulted 24 in the events and host B resulted 25 in the events and host C resulted 20 events and so on for N number of hosts. The output match case should be with list 25 patches for each host.</P><P>Domain_name&nbsp; &nbsp;Host&nbsp; patchlist&nbsp; &nbsp;Match_case</P><P>&nbsp; xyz1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ABC&nbsp; &nbsp;Row 1 num in list&nbsp; Yes/no</P><P>xyz1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ABC&nbsp; Row 2 number in list Yes/no</P><P>xyzN&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ABC. .....RowN(like this for all the rows in the list,ex 25)&nbsp; &nbsp; &nbsp; Yes/No</P><P>xyz2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DEF&nbsp; &nbsp; Row1 num in list&nbsp; Yes/no</P><P>xyz2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;DEF.&nbsp; &nbsp;Row1. num in list.&nbsp; &nbsp;Yes/no</P><P>xyzN&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DEF.&nbsp; &nbsp;RowN.&nbsp; &nbsp; &nbsp; &nbsp; Yes/No</P><P>xyz3.&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; GHI.&nbsp; &nbsp;Row1 num in list.&nbsp; &nbsp;Yes/No</P><P>xyz3.&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; GHI.&nbsp; &nbsp;Row2 num in list Yes/No</P><P>&nbsp;</P><P>Like this, Yes/No match case with Patch_num are available in the events for each host.</P><P>Each host should be having some list of patch numbers and available in Patch_num events filled.</P><P>Hope this explanation helps, please let me know if required additional details.</P><P>Thankyou for helping.</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Satheesh</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 30 Jun 2023 02:01:42 GMT https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648729#M9593 Satheesh_red 2023-06-30T02:01:42Z https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648732#M9595 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>I hope below screenshot looks more helpful for you.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Satheesh_red_0-1688099311326.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26080i9FB0E5676F8C6072/image-size/medium?v=v2&amp;px=400" role="button" title="Satheesh_red_0-1688099311326.png" alt="Satheesh_red_0-1688099311326.png" /></span></P><P>&nbsp;</P><P>Regards,<BR />Satheesh&nbsp;</P> Fri, 30 Jun 2023 04:28:49 GMT https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648732#M9595 Satheesh_red 2023-06-30T04:28:49Z https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648863#M9598 <LI-CODE lang="markup">index = * sourcetype=* host=* | rex field=source "\/u02\/logs\/patch_(?&lt;domain_name&gt;.+).log" | rex field=_raw max_match=0 "\s(?&lt;Patch_num&gt;[^ ]+);" | dedup host | append [ | inputlookup soa_nonprod_Q_patches.csv] | eventstats values(Patch_num) as Patch_list | where isnotnull(host) | mvexpand Patch_list | eval match_status=if(isnotnull(mvfind(Patch_num, Patch_list)), "Yes", "No") | table domain_name host Patch_list match_status</LI-CODE> Sat, 01 Jul 2023 07:37:03 GMT https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648863#M9598 ITWhisperer 2023-07-01T07:37:03Z https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648928#M9599 <P>Thankyou <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;, it's working as expected. Appreciated your time and support</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>Satheesh</P> Sun, 02 Jul 2023 07:19:51 GMT https://community.splunk.com/t5/Knowledge-Management/Match-lookup-field-values-with-Splunk-results-and-display-over/m-p/648928#M9599 Satheesh_red 2023-07-02T07:19:51Z