Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Need create a query to compare two tables from dif...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mrig342
Contributor
09-24-2023
01:20 AM
Hi All,
I have got two queries to populate the host, region, tech stack & environment details. One query is a lookup table that has the list of total number of host.
| inputlookup Master_List.csv | search Region="Asia" | search "Tech Stack"="Apple" | rename host as Total_Servers | table Total_Servers
which gives below table:
| Total_Servers |
| Apple1 |
| Apple2 |
| Apple3 |
| Apple4 |
| Apple5 |
| Apple6 |
The second query gives us the list of hosts that are currently populating in splunk.
... | rex field=_raw "(?ms)]\|(?P<host>\w+\-\w+)\|"
| rex field=_raw "(?ms)]\|(?P<host>\w+)\|"
| rex field=_raw "\]\,(?P<host>[^\,]+)\,"
| rex field=_raw "\]\|(?P<host>[^\|]+)\|"
| regex _raw!="^\d+(\.\d+){0,2}\w"
| regex _raw!="/apps/tibco/datastore"
| lookup Master_List.csv "host"
| search "Tech Stack"="Apple"
| search Region="Asia"
| rename host as "Reporting_Servers" | table "Reporting_Servers"
which gives below table:
| Reporting_Servers |
| Apple1 |
| Apple4 |
| Apple5 |
Now I want to create a query to compare these two table and populate the servers that are missing from the total servers. So that output of the above tables after comparison should be like below:
| Non_Reporting_Servers |
| Apple2 |
| Apple3 |
| Apple6 |
Please help me to create a query to achieve the expected output table. Your kind inputs are highly appreciated.
Thank You..!!!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
09-24-2023
01:27 AM
Hi @Mrig342,
you have to run a simplesearch like the following:
... | rex field=_raw "(?ms)]\|(?P<host>\w+\-\w+)\|"
| rex field=_raw "(?ms)]\|(?P<host>\w+)\|"
| rex field=_raw "\]\,(?P<host>[^\,]+)\,"
| rex field=_raw "\]\|(?P<host>[^\|]+)\|"
| regex _raw!="^\d+(\.\d+){0,2}\w"
| regex _raw!="/apps/tibco/datastore"
| lookup Master_List.csv "host"
| search "Tech Stack"="Apple"
| search Region="Asia"
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup Master_List.csv WHERE Region="Asia" AND "Tech Stack"="Apple" | eval eval host=lower(host), count=0 | fields host ]
| stats sum(count) AS total BY host
| where total=0
| rename host as "Not_Reporting_Servers"
| table "Not_Reporting_Servers"Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
09-24-2023
01:27 AM
Hi @Mrig342,
you have to run a simplesearch like the following:
... | rex field=_raw "(?ms)]\|(?P<host>\w+\-\w+)\|"
| rex field=_raw "(?ms)]\|(?P<host>\w+)\|"
| rex field=_raw "\]\,(?P<host>[^\,]+)\,"
| rex field=_raw "\]\|(?P<host>[^\|]+)\|"
| regex _raw!="^\d+(\.\d+){0,2}\w"
| regex _raw!="/apps/tibco/datastore"
| lookup Master_List.csv "host"
| search "Tech Stack"="Apple"
| search Region="Asia"
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup Master_List.csv WHERE Region="Asia" AND "Tech Stack"="Apple" | eval eval host=lower(host), count=0 | fields host ]
| stats sum(count) AS total BY host
| where total=0
| rename host as "Not_Reporting_Servers"
| table "Not_Reporting_Servers"Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mrig342
Contributor
09-24-2023
09:10 AM
Hi @gcusello,
Thank you very much for your inputs..!! The query worked perfect for me.
Get Updates on the Splunk Community!
September Community Champions: A Shoutout to Our Contributors!
As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
What’s New in Splunk Observability – September 2025
What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...
