topic Re: How to compare event data with lookup data to find missing field values? in Splunk Search

How to compare event data with lookup data to find missing field values?

gauravu_14 — Mon, 02 Oct 2023 10:19:44 GMT

I need to compare the values of 2 fields from the Splunk data with the field-values from the lookup and find the missing values from the Splunk data and output those missing field value pairs

For ex:

index=test sourcetype=splunk_test_data
fields: field1, field2

lookup: test_data.csv
Fields: field1, field2

The output should show missing values from the Splunk data and output those missing values

Any help would be appreciated
Thanks

Re: How to compare event data with lookup data to find missing field values?

richgalloway — Thu, 28 Sep 2023 19:38:04 GMT

To find out which fields are present in the lookup and absent in the index use a subsearch, like this:

| inputlookup test_data.csv where NOT [search index=test sourcetype=splunk_test_data | fields field1 field2 | format]

Re: How to compare event data with lookup data to find missing field values?

gauravu_14 — Mon, 02 Oct 2023 10:18:23 GMT

I would like to know which values are missing in the events compared to the lookup and output those field-values

Re: How to compare event data with lookup data to find missing field values?

richgalloway — Mon, 02 Oct 2023 12:09:16 GMT

The same search should do that. It's a matter of how extensive the lookup file is.