Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

2 files in csv format: How to search whether one of the unique field is present in second file?

yuvasree
Explorer
‎07-20-2022 04:21 AM

I have 2 files in csv format. I want to search whether one of the unique field is present in second file. if it is present mark the value as true else false. Kindly help with the command

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-21-2022 05:15 AM

Hi @yuvasree,

yes i frgot a piece:

index=your_index (sourcetype=sourcetype1 OR sourcetype=sourcetype2
| stats values(*) AS * dc(sourcetype) AS sourcetype_count BY field
| eval status=if(sourcetype_count=2,"Both",if(sourcetype="sourcetype1","sourcetype1","sourcetype2"))
| table field status

Anyway, 

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuvasree
Explorer
‎07-20-2022 05:50 AM

Thanks for the reply. If i have the same field name in both the files by which command can i mark the new field as true if existing in second file else false. Can i use 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-20-2022 06:07 AM

Hi @yuvasree,

in this way you filter results and you take only the one present in both the searches.

if you want to mark as present or not present, you have to run something like this:

index=your_index (sourcetype=sourcetype1 OR sourcetype=sourcetype2
| stats values(*) AS * dc(sourcetype) AS sourcetype_count BY field
| eval status=if(sourcetype_count=2,"Both",if(sourcetype="sourcetype1","sourcetype2"))
| table field status

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

yuvasree
Explorer
‎07-21-2022 05:11 AM

@gcusello  Thanks for the prompt response. It worked. 

But when i am executing the provided command getting the error in eval as malformed function. But if I execute like this it works fine. How can i validate the source file name as well so that it won't have wrong result if duplicates present.

| eval status=if(sourcetype_count=2,"Both","Not present")

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-21-2022 05:15 AM

Hi @yuvasree,

yes i frgot a piece:

index=your_index (sourcetype=sourcetype1 OR sourcetype=sourcetype2
| stats values(*) AS * dc(sourcetype) AS sourcetype_count BY field
| eval status=if(sourcetype_count=2,"Both",if(sourcetype="sourcetype1","sourcetype1","sourcetype2"))
| table field status

Anyway, 

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-20-2022 05:17 AM

Hi @yuvasree,

it depends on one detail:

do you want to search the values from the first csv ina field of the second or as free text search?

supponing that both the csv were uploaded in an index (your_index) with two sourcetypes (sourcetype1 and sourcetype2).

if in a field and they are named field1 (in sourcetype1) and field2 (in sourcetype2), you have to run something like this:

index=your_index sourcetype=sourcetype1 [ | search index=your_index sourcetype=sourcetype2 | rename field2 AS field1 | fields field1 ]
| ...

the most important thing is that the field name at the end of the subsearch is the same of the main search.

If instead you want to performa a free text search, you have to run something like this:

index=your_index sourcetype=sourcetype1 [ | search index=your_index sourcetype=sourcetype2 | rename field2 AS query | fields query ]
| ...

 Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...