https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396873#M6998 <P>@btawiah-can you extract the filed that has location from your raw logs? If not then you will have to provide a log sample.<BR /> Once you extract the field say loc , the query can be something like this-</P> <PRE><CODE> |inputlookup maintable.csv| join type=outer location[search index=* | rename loc as location| fields source]| where ISNULL(source) </CODE></PRE> Tue, 02 Apr 2019 16:38:59 GMT Vijeta 2019-04-02T16:38:59Z https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396872#M6997 <P>I have a table(main table).csv with field location.</P> <P>I have raw logs that includes field location</P> <PRE><CODE>main table.csv location_field A B C Raw logs location_field A B </CODE></PRE> <P>Please, I need help with a query that will check raw logs against main table and give a result of C missing</P> <P>search result should return C</P> Tue, 02 Apr 2019 16:26:48 GMT https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396872#M6997 btawiah 2019-04-02T16:26:48Z https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396873#M6998 <P>@btawiah-can you extract the filed that has location from your raw logs? If not then you will have to provide a log sample.<BR /> Once you extract the field say loc , the query can be something like this-</P> <PRE><CODE> |inputlookup maintable.csv| join type=outer location[search index=* | rename loc as location| fields source]| where ISNULL(source) </CODE></PRE> Tue, 02 Apr 2019 16:38:59 GMT https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396873#M6998 Vijeta 2019-04-02T16:38:59Z https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396874#M6999 <P>@Vijeta i actually updated the question. I dont have to extract fields because that already exist. I only need to get the difference and output the one from raw logs since that is not in the main table location field. </P> Tue, 02 Apr 2019 16:50:48 GMT https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396874#M6999 btawiah 2019-04-02T16:50:48Z https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396875#M7000 <P>@btawiah Try running this query, write the name of your index instead of "yourindexname"</P> <PRE><CODE> |inputlookup maintable.csv| join type=outer location_field[search index="yourindexname"| fields source]| where ISNULL(source) </CODE></PRE> Tue, 02 Apr 2019 16:57:37 GMT https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396875#M7000 Vijeta 2019-04-02T16:57:37Z https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396876#M7001 <P>I got it done. Thanks<BR /> | inputlookup main_table.csv <BR /> | fields location<BR /> | eval count=0 <BR /> | append <BR /> [ search index=someindex* <BR /> | fields location<BR /> | stats count BY location ] <BR /> | stats sum(count) by location <BR /> | where count= 0</P> <P>Whenever results return 0 that means those locations are not in main table </P> Wed, 03 Apr 2019 16:28:02 GMT https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396876#M7001 btawiah 2019-04-03T16:28:02Z https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396877#M7002 <P>I got it done. Thanks<BR /> | inputlookup main_table.csv <BR /> | fields location<BR /> | eval count=0 <BR /> | append <BR /> [ search index=someindex* <BR /> | fields location<BR /> | stats count BY location ] <BR /> | stats sum(count) AS missing by location <BR /> | where missing= 0</P> <P>Whenever results return 0 that means those locations are not in main table </P> Wed, 03 Apr 2019 16:28:27 GMT https://community.splunk.com/t5/Alerting/How-do-you-compare-two-results/m-p/396877#M7002 btawiah 2019-04-03T16:28:27Z