https://community.splunk.com/t5/Splunk-Search/Search-to-identify-missing-data-between-2-sets-of-data/m-p/294009#M164916 <P>I apologize for not being clear but the formatting was all crazy, so just want to clarify. it isn't setup as an official lookup table. the first table has 2 fields: Business Unit Type and Required position. So for each business unit there are multiple entries, one for each required position. The other data has 3 fields: SSN, business unit and their current position.</P> <P>so the bottom line is that when a record from the second data source is read, we know the business unit being referred to and going to the first data source for that business unit, we know all of the required positions that need to be there. So we want to search through the 2nd data source to see if every position has an entry and report on what's missing.</P> <P>Does your solution still solve this question?</P> Wed, 22 Nov 2017 22:22:12 GMT collumc 2017-11-22T22:22:12Z https://community.splunk.com/t5/Splunk-Search/Search-to-identify-missing-data-between-2-sets-of-data/m-p/294006#M164913 <P>Looking for an SPL way to identify missing data between 2 sets of data. <BR /> To simplify the problem, I will present it this way: </P> <OL> <LI><P>The first set of data is essentially the lookup and identifies the type of business unit as well as all required positions:<BR /> Business Unit Type Required position<BR /> Financial Director<BR /> Financial AsstDirector<BR /> Financial AdminAsst<BR /> Financial Lead<BR /> IT VicePresident<BR /> IT Director<BR /> Etc…</P></LI> <LI><P>The second set of data is essentially the event data and identifies all people working in the company along with their business unit type and their position:<BR /> SSN Business Unit Type Position<BR /> 111229999 IT Director<BR /> 222114444 Financial Lead<BR /> 444552222 Financial AsstDirector <BR /> 999338888 Financial Director<BR /> 334225544 IT VicePresident</P></LI> </OL> <P>How can I use SPL to determine which business units are missing required positions?</P> <P>For example, the Financial business unit is missing an AdminAsst. In a standard programming language I could dedup the transactions coming in by business unit and then loop through the lookup for all required positions for that business unit, then search the list of employees for matches to each.</P> <P>How can this done in SPL… are there a good, better, best ways to accomplish this?</P> Wed, 22 Nov 2017 21:30:19 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-identify-missing-data-between-2-sets-of-data/m-p/294006#M164913 collumc 2017-11-22T21:30:19Z https://community.splunk.com/t5/Splunk-Search/Search-to-identify-missing-data-between-2-sets-of-data/m-p/294007#M164914 <P>the tabs threw the format off a little:<BR /> data set 1(lookup data):<BR /> <STRONG>Business Unit Type</STRONG> <STRONG>Required position</STRONG><BR /> Financial Director<BR /> Financial AsstDirector<BR /> Financial AdminAsst<BR /> Financial Lead<BR /> IT VicePresident<BR /> IT Director<BR /> Etc…</P> <P>Dataset 2:<BR /> <STRONG>SSN</STRONG> Business Unit Type Position<BR /> 111229999 IT Director<BR /> 222114444 Financial Lead<BR /> 444552222 Financial AsstDirector <BR /> 999338888 Financial Director<BR /> 334225544 IT VicePresident</P> Wed, 22 Nov 2017 21:35:37 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-identify-missing-data-between-2-sets-of-data/m-p/294007#M164914 collumc 2017-11-22T21:35:37Z https://community.splunk.com/t5/Splunk-Search/Search-to-identify-missing-data-between-2-sets-of-data/m-p/294008#M164915 <P>Try like this (will give you all the "Business Unit Type" Position combination which are in lookup but not in event data)</P> <PRE><CODE>your event data search to get all "SSN" "Business Unit Type" "Position" field values | stats count by "Business Unit Type" Position | append [| inputlookup BU_Position_lookup.csv | table "Business Unit Type" "Required position" | rename "Required position" as Position | eval count=0] | stats max(count) as count by "Business Unit Type" Position | where count=0 </CODE></PRE> Wed, 22 Nov 2017 22:01:29 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-identify-missing-data-between-2-sets-of-data/m-p/294008#M164915 somesoni2 2017-11-22T22:01:29Z https://community.splunk.com/t5/Splunk-Search/Search-to-identify-missing-data-between-2-sets-of-data/m-p/294009#M164916 <P>I apologize for not being clear but the formatting was all crazy, so just want to clarify. it isn't setup as an official lookup table. the first table has 2 fields: Business Unit Type and Required position. So for each business unit there are multiple entries, one for each required position. The other data has 3 fields: SSN, business unit and their current position.</P> <P>so the bottom line is that when a record from the second data source is read, we know the business unit being referred to and going to the first data source for that business unit, we know all of the required positions that need to be there. So we want to search through the 2nd data source to see if every position has an entry and report on what's missing.</P> <P>Does your solution still solve this question?</P> Wed, 22 Nov 2017 22:22:12 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-identify-missing-data-between-2-sets-of-data/m-p/294009#M164916 collumc 2017-11-22T22:22:12Z