https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374085#M109954 <P>Sorry mate , I had the dates in two different formats and hence the whole differences where thrown up . It did get the work moving, but is there a way we can identify the column which had the change ?</P> Wed, 14 Feb 2018 04:05:53 GMT madakkas 2018-02-14T04:05:53Z https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374081#M109950 <P>Hi All,</P> <P>I have a question that I am trying to solve … </P> <P>I have two files which I can upload to be used as inputlookup.csv</P> <P>Sample as below <BR /> tab1.csv<BR /> Date Col1 Col2 Col3 Col4 Col5<BR /> 1-Jan-18 Y N N N N<BR /> 2-Jan-18 Y N N N N<BR /> 3-Jan-18 Y Y Y Y Y<BR /> 4-Jan-18 Y Y Y Y Y<BR /> 5-Jan-18 Y Y Y Y Y<BR /> 6-Jan-18 Y Y Y Y Y<BR /> 7-Jan-18 Y N N N Y<BR /> 8-Jan-18 Y N N N Y<BR /> 9-Jan-18 Y Y N Y Y<BR /> 10-Jan-18 Y Y Y Y Y</P> <P>tab2.csv<BR /><BR /> Date Col1 Col2 Col3 Col4 Col5<BR /> 1-Jan-18 Y N N N N<BR /> 2-Jan-18 Y N N N N<BR /> 3-Jan-18 Y Y Y Y Y<BR /> 4-Jan-18 N Y Y Y Y<BR /> 5-Jan-18 Y Y Y Y Y<BR /> 6-Jan-18 Y Y Y Y Y<BR /> 7-Jan-18 Y N N N Y<BR /> 8-Jan-18 Y N N N Y<BR /> 9-Jan-18 Y Y Y Y Y<BR /> 10-Jan-18 Y Y Y Y Y</P> <P>I am looking for a way to join these two tables and sort the areas where there is a change as below </P> <P>Date Col1 Col2 Col3 Col4 Col5 Output<BR /> 4-Jan-18 N<BR /><BR /> 9-Jan-18 Y </P> <P>|inputlookup tab1.csv<BR /> |lookup tab2.csv Date Col1 Col2.</P> <P>this gives me a complete set of results along with the mismatched columns. How can i remove all except the mismatched columns. </P> <P>thank You in advance. </P> Tue, 13 Feb 2018 04:05:55 GMT https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374081#M109950 madakkas 2018-02-13T04:05:55Z https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374082#M109951 <P>try this out as a base maybe we can work form there:</P> <PRE><CODE> | inputlookup tab2.csv | search NOT [| inputlookup tab1.csv ] </CODE></PRE> <P>this will give you the entire line in which there was a change<BR /> hope it helps a little </P> Tue, 13 Feb 2018 15:55:34 GMT https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374082#M109951 adonio 2018-02-13T15:55:34Z https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374083#M109952 <P>it just gave me the entire tab2.csv, not the differences in them . </P> Wed, 14 Feb 2018 02:33:33 GMT https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374083#M109952 madakkas 2018-02-14T02:33:33Z https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374084#M109953 <P>@madakkas,<BR /> copied your sample to the letter. here is a screenshot.<BR /> can you double check<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4375i4472C8AC200597BA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 14 Feb 2018 03:54:53 GMT https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374084#M109953 adonio 2018-02-14T03:54:53Z https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374085#M109954 <P>Sorry mate , I had the dates in two different formats and hence the whole differences where thrown up . It did get the work moving, but is there a way we can identify the column which had the change ?</P> Wed, 14 Feb 2018 04:05:53 GMT https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374085#M109954 madakkas 2018-02-14T04:05:53Z https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374086#M109955 <P>i am puzzled by it as well. trying to come up with a solution and will post it here once i figure it out</P> Wed, 14 Feb 2018 11:10:59 GMT https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374086#M109955 adonio 2018-02-14T11:10:59Z https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374087#M109956 <P>I did something as below , though it is a bit complicated. Will as well wait for your advise if you have any simpler thoughts. </P> <P>Kind of created a macro as below </P> <P>|inputlookup tab1.csv| append [inputlookup tab2.csv]<BR /> |table Date $col_num$<BR /> |chart count over Date by $col_num$ |eval col_name = "$col_num$" |where N = 1 or Y = 1<BR /> |table Date col_name</P> <P>and then will have to do an append to call the macro multiple times with the number of columns available. </P> Tue, 29 Sep 2020 18:03:31 GMT https://community.splunk.com/t5/Splunk-Search/Using-Lookup-files-and-identifying-the-changes-in-each-file/m-p/374087#M109956 madakkas 2020-09-29T18:03:31Z