Splunk Search

Outputnew: How do I compare two Fields in two Lookup tables?

russell120
Communicator

Hello,

I need help finding out how I can display field values of one lookup that are not present in the same-named field as another lookup.

Ex: lookup1.csv has the below data.
Field: colors
red
orange
yellow

Ex: lookup2.csv has the below data.
Field: colors
orange
red
green
blue

The results should display yellow because yellow is a value within the colors field of lookup1.csv , but is not a value in the colors field of lookup2.csv.

Thanks.

Tags (2)
0 Karma
1 Solution

russell120
Communicator

|inputlookup lookup1.csv
|lookup lookup2.csv colors OUTPUTNEW colors as Missing_Colors
|where isnull(Missing_Colors)

Ah, this did the trick.

View solution in original post

0 Karma

russell120
Communicator

|inputlookup lookup1.csv
|lookup lookup2.csv colors OUTPUTNEW colors as Missing_Colors
|where isnull(Missing_Colors)

Ah, this did the trick.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...