topic Re: How to compare a lookup field value with my current search? in Splunk Search

How to compare a lookup field value with my current search?

AdixitSplunk — Mon, 27 Feb 2017 10:30:56 GMT

HI All,
I have a lookup table with host names value around 10 field name host.
I have this search index=Application sourcetype=Servers |stats count by host

I have to compare host in Lookup table with the one in above search and result should give only those host names which are not present in Lookup file.

Suppose my lookup file has below host names:

host
1
2
3
4 
5

My search gives:

host
1 
4
5

So the final result should be :

host
2
3

Thanks in advance.

Re: How to compare a lookup field value with my current search?

adayton20 — Mon, 27 Feb 2017 11:29:24 GMT

Try this:

index=Application sourcetype=Servers
| search [|inputlookup yourLookup | fields + host | table host] 
| stats count by host

Re: How to compare a lookup field value with my current search?

AdixitSplunk — Mon, 27 Feb 2017 11:52:38 GMT

Thanks for your reply but its not giving the right answer . The below did 🙂

index="Application" sourcetype=Servers|eval host=lower(host)|eval started_host="T"|append [inputlookup Mylookup|eval started_host="F"]|stats count(eval(started_host=="T")) as started by host|where started == 0

Re: How to compare a lookup field value with my current search?

aaraneta_splunk — Mon, 27 Feb 2017 21:08:26 GMT

@AdixitSplunk - Did your above comment provide a working solution to your question? If yes and you would like to close out your post, please let me know so I can convert it to an Answer to be accepted. Thanks!

Re: How to compare a lookup field value with my current search?

woodcock — Tue, 28 Feb 2017 21:43:17 GMT

Like this:

index=Application sourcetype=Servers | stats count by host | appendpipe [|inputlookup hostLookup | table host | eval sourcetype="LOOKUP"] | stats values(*) AS * dc(sourcetype) AS numDatasets BY host | search numDatasets=1 AND sourcetype="LOOKUP" | table host