Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Compare CSV to Search [IN CSV NOT IN SEARCH]

Workmanaquariou
New Member
‎06-19-2019 06:37 AM

Good Day!
I am trying to figure out a way to compare a csv file to a search and return only what is in the CSV file that was not in the search. Im taking an email list and doing a search for all emails received my end goal is to figure out emails in the csv that haven't received an email in x days.

I have tried: 

index=proofpoint 
    sourcetype=pps_messagelog 
| rex field=envelope.rcpts{} "(\@(?<PP_To>[a-zA-Z0-9]+.+))" 
| search envelope.rcpts{} = * 
| rename envelope.rcpts{} as "PP_Rcpts" 
| append 
    [ inputlookup DL_List.csv 
    | fields PP_Rcpts, "Display Name" ] 
| table PP_To,PP_Rcpts, "Display Name" 
| stats count by PP_Rcpts 
| search count=1 | lookup DL_List.csv PP_Rcpts  as PP_Rcpts output PP_Rcpts,"Display Name" | search PP_Rcpts!=""

I.E

CSV

  • a
  • b
  • c
  • d
  • e
  • f
  • g

Search Return

c
d
e
f
h
i
j

Wanted Results ( after CSV lookup)

a
b
g

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎06-21-2019 07:55 AM

Give this a try

index=proofpoint sourcetype=pps_messagelog 
 | search envelope.rcpts{} = * 
 | rex field=envelope.rcpts{} "(\@(?<PP_To>[a-zA-Z0-9]+.+))" 
 | rename envelope.rcpts{} as PP_Rcpts
 | fields PP_Rcpts PP_To
 | eval from="Data"
 | append 
     [ inputlookup DL_List.csv 
     | fields PP_Rcpts, "Display Name" | eval from="CSV"] 
 | stats values(from) as from values("Display name") as "DisplayName" by PP_Rcpts 
 | where mvcount(from)=1 AND from="CSV"
0 Karma
Reply

Workmanaquariou
New Member
‎06-21-2019 06:35 AM

I also tried
| inputlookup DL_List.csv
| fields PP_Rcpts
| search NOT
[ search index=proofpoint
sourcetype=pps_messagelog
| rex field=envelope.rcpts{} "(\@(?[a-zA-Z0-9]+.+))"
| rename envelope.rcpts{} as "PP_Rcpts"
| stats count by PP_Rcpts
]

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...